Hello,
I created a simple dashboard with some panels taking data from the index. It was taking a long time to load, so I created a scheduled report and converted all panel queries to load data from that report using loadjob savedsearch="hackathon:search:BaseSearch" events=true command.
My idea was to create a report which takes logs from "All time" and then adds a time filter to the dashboard to allow a user to get what he wants.
My problem is that the time picker on my dashboard doesn't affect panels. It was working correctly with queries taking data from the index, but is not working with queries taking data from the report. I literally took the same panel and just switched the data source in the query. All other filters work. The problem is only with the time picker.
I was trying different things already to make it work:
Adding
< earliest>$input_time.earliest$< /earliest>
< latest>$input_time.latest$< /latest>
in the panel source ( input_time is my time picker's token).
It doesn't change anything.
Changing time range in the query setting
Shared time picker - was working with panels before changing to report. Now it is not.
Use time picker - this is not what I want.
Tokens - can't set it up, every time when I set it and click apply, it magically returns to its previous setting when opened again.
Global - doesn't work
Adding time filtering in query
| eval timestamp_epoch = strptime(Timestamp, "%Y-%m-%dT%H:%M:%S.%3N%z")
| where timestamp_epoch>relative_time(now(),"$input_time.earliest$")
And this partially works!
But, I still have some issues with it. It only allows me to filter by the beginning of the time period using input_time.earliest . When I want to use input_time.latest ( where timestamp_epoch < relative_time(now(),"$input_time.latest$") ), the query return no results. There obviously is some data, so that the query should return something. The second issue is that I can use only time ranges like "24 hours ago", "7 days ago", "... ago". When I try to set the time, for example from Jan 1st to Jan 5th, it shows an error:
I think that Splunk doesn't know which "file" (or whatever structure it has) with data it should take, because one report is generating a new set of data every hour (report is scheduled to run once per hour).
Any idea how to make panels from report work with time picker?
... View more