Dashboards & Visualizations

Multiple Time range token used in dashboard search string - 'All time' error

DanielFordWA
Contributor

Hi,

I am having an issue when using multiple time range tokens in the search string.

I have built a dashboard that lets the user select a publisher and the date range over which documents were published.

I have used another time range picker so the user can see the 'Views' of those documents over a selected time period.

Everything works fine unless 'All time' is selected. I get the following error.

"Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side."

The search string is below.

  <query>index=userdoc 
| search cs_username="INT*" [| search earliest=$pubtime1.earliest$ latest=$pubtime1.latest$ index=userpubdoc | search cs_username=$Pub1token$ publicationId=$PubID1$ | fields publicationId] 
| fillnull value="0" 
| stats sum(count) AS "Client Views" dc(cs_username) AS "Client Users" by publicationId
| fillnull value="0" "Client Views" "Client Users"
| lookup PubDocs2.csv publicationId OUTPUTNEW DocTitle DocType
| table publicationId DocTitle DocType "Client Views" "Client Users"
| eval DocTitle=urldecode(DocTitle)
| eval DocType=urldecode(DocType)</query>
<earliest>$viewtime1.earliest$</earliest>
<latest>$viewtime1.latest$</latest>

Is it possible to use time range tokens this way?

The error occurs when the first time range picker is set to "All Time"

earliest=$pubtime1.earliest$ latest=$pubtime1.latest$

After looking at the job inspector the search string is populated with the below when 'All Time' is selected.

earliest=0 latest=

Is there any way around this?

Hope you can help!

Dan

0 Karma
1 Solution

ramdaspr
Contributor

Try with double quotes around the tokens.

latest="$pubtime1.latest$"

View solution in original post

ramdaspr
Contributor

Try with double quotes around the tokens.

latest="$pubtime1.latest$"

DanielFordWA
Contributor

Thanks, this corrected the issues

0 Karma

DanielFordWA
Contributor

I can confirm only the "All Time" selection causes the error.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...