Hi all,
I am having some issues getting a time range picker to work with a dashboard I have set up. The code I am using for the time range picker is:
<input type="dropdown" token="Time">
<label>Time Period</label>
<choice value="span=30m">30 Minutes</choice>
<choice value="span=1h">1 Hour</choice>
<choice value="span=3h">3 Hours</choice>
<choice value="span=6h">6 Hours</choice>
<choice value="span=1d">1 Day</choice>
<choice value="span=1w">1 Week</choice>
<default>1 Hour</default>
</input>
And an example of one of my dashboard panels is below:
<chart>
<searchString>index = my_index | search as-xy-1234* OR as-ip-3456* $Time$ searchterm Locations DeviceName $Device$ $Interface$ $Mode$ | top 100 DeviceName</searchString>
<title> Device</title>
<option name="charting.chart">pie</option>
</chart>
When I run the search, no results are returned and Splunk shows the above error message: Your timerange was substituted based on your search string
I couldn't find any good examples on the Splunkbase where something similar was done and the issue was resolved. I am sure it is either how I am inputting the token in my search or how I am defining my time buckets. Any input would be appreciated.
Thanks!
Try this run anywhere example of similar thing.
<form>
<label>Threat Dashboard</label>
<fieldset autoRun="false" submitButton="true">
<input type="dropdown" token="Time">
<label>Time Period</label>
<choice value="earliest=-30m@m">30 Minutes</choice>
<choice value="earliest=-60m@m">1 Hour</choice>
<choice value="earliest=-3h@h">3 Hours</choice>
<choice value="earliest=-6h@h">6 Hours</choice>
<choice value="earliest=-1d@d">1 Day</choice>
<choice value="earliest=-7d@d">1 Week</choice>
<default>1 Hour</default>
</input>
</fieldset>
<row>
<table>
<title>Investigate Source IP</title>
<searchString>
index = _internal $Time$
| search *error* | top 100 sourcetype
</searchString>
</table>
</row>
</form>