Solved: Why is my drop-down time token not working?

Federica_92 · ‎09-29-2015

I'm following the documentation: http://docs.splunk.com/Documentation/Splunk/6.2.3/Viz/Buildandeditforms
I created 2 really simple drop-down input, but the time range selector is not executing the searches, could someone help me?

 <form>
 <label> report</label>
 <fieldset autoRun="true" submitButton="false">
 <input type="time" searchWhenChanged="true" token="dashboardTime">
   <label>Select time range</label>
  <default>
        <earliest>-24h@h</earliest>
     <latest>now</latest>
    </default>
     </input>
<input type="dropdown" searchWhenChanged="true" token="user">
  <label>Select userName</label>
  <!-- Hard-code the choice for "All" -->
  <choice value="*">All</choice>
  <search>
    <query>index=test ActingUserName=* | dedup ActingUserName</query>
  </search>
  <fieldForLabel>ActingUserName</fieldForLabel>
  <fieldForValue>ActingUserName</fieldForValue>
</input>
  </fieldset>
   <row>
     <panel>
      <title>MessageID=109 Get file request</title>
      <table>
      <search>
            <query>index=test EventClass=109 ActingUserName=$user$ | table ActionTargetUser, ActingUserName, ActionObject, ActionReason, ActionRequestId</query>
        <earliestTime>$dashboardTime.earliest$</earliestTime>
        <latestTime>$dashboardTime.latest$</latestTime>
  </search>
    <option name="wrap">undefined</option>
    <option name="rowNumbers">undefined</option>
    <option name="drilldown">row</option>
  </table>
</panel>
   </row>

badrinath_itrs · ‎09-29-2015

Hi ,

Please change your search query xml as below so that the time ranger drop down will work for you.

      <query>index=test EventClass=109 ActingUserName=$user$ | table ActionTargetUser, ActingUserName, ActionObject, ActionReason, ActionRequestId</query>
      <earliest>$dashboardTime.earliest$</earliest>
      <latest>$dashboardTime.latest$</latest>
    </search>

Thanks .. Hope it helps.

View solution in original post

badrinath_itrs · ‎09-29-2015

Hi ,

Please change your search query xml as below so that the time ranger drop down will work for you.

      <query>index=test EventClass=109 ActingUserName=$user$ | table ActionTargetUser, ActingUserName, ActionObject, ActionReason, ActionRequestId</query>
      <earliest>$dashboardTime.earliest$</earliest>
      <latest>$dashboardTime.latest$</latest>
    </search>

Thanks .. Hope it helps.

badrinath_itrs · ‎09-29-2015

My Mistake ( Copy / Paste problem ) . It should be as below for earliest and latest time. Can you try below and let me know how it works. I have updated the same in answer section as well.

 <search>
          <query>index=test EventClass=109 ActingUserName=$user$ | table ActionTargetUser, ActingUserName, ActionObject, ActionReason, ActionRequestId</query>
          <earliest>$dashboardTime.earliest$</earliest>
          <latest>$dashboardTime.latest$</latest>
        </search>

Federica_92 · ‎09-29-2015

what exactly did you change?

badrinath_itrs · ‎09-29-2015

Instead of tag value "earliestTime" I have changed to "earliest" only . Same with latest time .

Does that help ?

Federica_92 · ‎09-30-2015

Yes, it works perfectly, thank you!

Federica_92 · ‎09-29-2015

I copy and paste it, but it still doesn't work, I'm sorry but I don't see the difference btw your query and mine..

Why is my drop-down time token not working?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk