Re: In my dashboard, how to set the default latest...

exmuzzy · ‎02-27-2017

I have time input in my dashboard:

<input type="time" token="trxTime">
 </input>

If I open dashboard with URL ...&form.trxTime.earliest=1488056400 then I get earliest=1488056400 and latest=now

How can I automatically set latest=earliest + 2d
without using URL ...&form.trxTime.latest=XXX

Something like that:

    <input type="time" token="trxTime">
      <default>
        <latest>$trxTime$ + 2d</latest>
      </default>
    </input>

lguinn2 · ‎02-27-2017

I believe that you need to use a token to calculate the value that you need. Here is a link to Token usage in dashboards, which has a lot of reference information. If trxTime is in Linux epoch time (which appears to be true), you can calculate a new token $latestTime$

<eval token="latestTime">relative_time($trxTime$,"+2d")</eval>

You may want to use something like this in combination with the tokens described in the subsection "Define tokens for time inputs" on the same page. Hopefully, this section will get you started.

exmuzzy · ‎03-02-2017

Thanks!

How to use this new token in default timer-picker?
Something like this?

<eval token="latestTime">relative_time($trxTime$,"+2d")</eval>
<input type="time" token="trxTime">
       <default>
         <latest>$latestTime$</latest>
       </default>
     </input>

aaraneta_splunk · ‎04-20-2017

@exmuzzy - Did lguinn's answer help provide a solution to your original question? If yes, please don't forget to resolve this post by clicking "Accept". Thanks!

In my dashboard, how to set the default latest time based on earliest time from a URL?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases