Hello everyone!
Some background first :
Dashboard with many panels. Have a base search set up, and then using that for other searches on the dashboard.
I have a text input field called "source_url" and a text input field called "hits_csv". When the user of the dashboard enters in the source url, and a csv (with fields user, md5, url, epochtime, time) it then searches for all the panels.
I'm trying to automate some of the manual entry. I already have the dashboard reading in the 'url' field for the searches in the base search, by utilizing "[|inputlookup "$hits_csv$" | rename url as search]" in my search macro. Works amazing.
But now I'm trying to change the time picker's default earliest time to :
|inputlookup "$hits_csv$" | fields time (I was initially using epoch time, but saw the format needed for timepicker, so changed it to the proper format)
Only I don't see a way to give a search query to earliest (states Value node is not supposed to have children). I have also attempted to utilize change with the condition of * for the timepicker:
<condition label="*">
<set token="form.timepicker.earliest">([|inputlookup "$hits_csv$" | fields time])</set>
<set token="form.timepicker.latest">relative_time([|inputlookup "$hits_csv$" | fields time]",+2d")</set>
</condition>
</change>
I've also tried to use eval instead of set.
If this was C or bash or python, I would declare a variable and assign it the result of my query, and then pass it along later. No idea how to do this here within this frame.
Also for added info, the query "|inputlookup "$hits_csv$" | fields time" will return "06/23/2017:12:48:17", so it should be the proper format for timepicker.
If this is unclear please let me know. I've tried to do research all over these forums, and I'm just not sure if I'm the first person to try this, or something is glaringly obviously wrong here.
I'm currently running Splunk 6.5.3.
... View more