I am currently ingesting my vulnerability scan reports into Splunk, but we receive more results than scanned as there are other details that get reported. However, there is a Last_Scan_Datetime Field that seems to be the best way to identify only results from the scan and not the other information.
I have a dashboard with Time input and lots of panels on the results of the vulnerability scan. I would like this Last_Scan_Datetime information to pre-populate based on the information selected in the Time input. How can I do this?
Currently I tried doing this;
index=main sourcetype=vulnerability_scans Last_Scan_Datetime=$TRPicker$ (TRPicker is the name of the Time Picker)
but this doesn't seem to work. However, the same syntax would work assuming it was a text box. What is the syntax for the Time Picker?
There are couple of factors in play here
1) The token value returned by time picker is usually a relative value (-7d) depending on user selection. To overcome that, you could use $token_name.earliest$.
2) $token_name.earliest$ returns time in epoch format. So unless the time format in your field is epoch, you will have to convert it to epoch.
http://docs.splunk.com/Documentation/Splunk/6.4.1/Viz/tokens#Define_tokens_for_time_inputs
There are couple of factors in play here
1) The token value returned by time picker is usually a relative value (-7d) depending on user selection. To overcome that, you could use $token_name.earliest$.
2) $token_name.earliest$ returns time in epoch format. So unless the time format in your field is epoch, you will have to convert it to epoch.
http://docs.splunk.com/Documentation/Splunk/6.4.1/Viz/tokens#Define_tokens_for_time_inputs