I believe it's possible but I haven't been able to figure it out yet but I would like to change the time range dynamically before the search is executed.
Basically I'm doing a chart for a certain time range but I would like to always +2 days from what the user selects.
Updated dashboard:
<form>
<label>timechanger</label>
<fieldset submitButton="false">
<input type="time" token="time" searchWhenChanged="true">
<label></label>
<default>
<earliest>-2d@d</earliest>
<latest>-1d@d</latest>
</default>
<change>
<eval token="e">if(isnum($time.latest$), relative_time($time.latest$, "+3d@d"), relative_time(relative_time(now(), $time.latest$), "+3d@d"))</eval>
</change>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=_internal sourcetype=mongod | timechart span=1d count by sourcetype</query>
<earliest>$time.earliest$</earliest>
<latest>$e$</latest>
</search>
</table>
</panel>
</row>
</form>
My simple dashboard:
<form>
<label>timechanger</label>
<fieldset submitButton="false">
<input type="time" token="time" searchWhenChanged="true">
<label></label>
<default>
<earliest>-2d@d</earliest>
<latest>-1d@d</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=_internal sourcetype=mongod | timechart span=1d count by sourcetype</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
</table>
</panel>
</row>
</form>
Not sure I understand what you mean by +2 days from what the user selects
- is the earliest or latest or both? Regardless, you can tweak this concept to fit your specific needs. In you search, you will use the new token create dynamically, instead of $time.earliest$
<input type="time" token="time" searchWhenChanged="true">
<label></label>
<default>
<earliest>-2d@d</earliest>
<latest>-1d@d</latest>
</default>
<change>
<eval token="e">if(isnum($time.earliest$, relative_time($time.earliest$, "+2d@d"), relative_time(relative_time(now(), $time.earliest$), "+2d@d")</eval>
<change>
</input>
In eval
here, even brackets are imbalance. @sundareshr - can you please correct?
Nice logic!! Wanted to create a view to analyze time zone issue for logs going into future and this is exactly what I need 🙂
The latest. Earliest can stay as is. I think I can modify what you gave me to apply on $time.latest$ and pass that as token to my panel, is that correct?
That's Correct
Okay so I added that change and it doesn't seem to be working. The updated dashboard is at top. I keep getting, "Invalid latest_time: latest_time must be after earliest_time". At first it didn't work at all because some parens were missing in the eval. It seems like it should work according to the logic in the eval. I also tried using Splunk Debugger but I couldn't figure out why the e token kept consistently being 190800. Any ideas?