Well, the base problem indeed stems from a dashboard I'm trying to create with a dynamic time picker input. I want to change the timechart span value depending on the time picker input.
I don't want to force my users into inputting the correct values for the span themselves, because it is used for internal calculation (trending script) and most of the users will not be very IT or Splunk-proficient.
Another workaround might be hidden tokens in the forms, where I calculate the correct values and then pass them on to the search string as $variables$. Not sure whether:
1) hidden tokens exist
2) things like strftime and strptime can be performed within the XML?
Edit: macros seem like a possible solution:
[get_timespan(2)]
args = e, l
definition = "floor(strptime(\"$l$\", \"%m/%d/%Y:%H:%M:%S\")-strptime(\"$e$\", \"%m/%d/%Y:%H:%M:%S\")).\"s\""
iseval = 1
This query actually returns a table with "86400s" in each row:
bla | eval span=`get_timespan("03/17/2015:00:00:00", "03/18/2015:00:00:00")` | table span
But this one fails:
bla | timechart span=`get_timespan("03/17/2015:00:00:00", "03/18/2015:00:00:00")` count
with error "The value for option span (floor(strptime(03/18/2015:00:00:00, %m/%d/%Y:%H:%M:%S)-strptime(03/17/2015:00:00:00, %m/%d/%Y:%H:%M:%S)).s) is invalid. ". I have no clue why it returns the string with the eval search, and it just expands the macro with timechart span. Getting a headache 🙂
... View more