I have a search with a join and subsearch I wish to apply a date range to the subsearch. I have put the search into a dashboard and changed it to a form. I updated the subsearch to use a where statement to narrow the _time.
The values from the datetime picker are passed through the field1.earliest and field1.latest token-this works just fine so long as I set the date time picker to "between" exact dates. If I use "last month" or one of the other relative fields I get errors because I get the date modifier values passed to the token d@d and @mon instead of the epoch date.
So....is there a way of wrapping the tokens to always get the epoc time or do I change my query to somehow accept epoch and/or date modifiers.
Here is the subquery
......
join name
[search sourcetype=logs
|regex user!=("[0-9].|ws_")|where isnotnull(user)
|where _time>=$field1.earliest$ AND _time<=$field1.latest$
.... ]
Thanks for your yelp
... View more