How do I use a specific date/time in Splunk dashboard with earliest and latest?

Question

How do I use a specific date/time in Splunk dashboard with earliest and latest? I cannot figure out the syntax to have a Splunk dashboard take a hard-coded exact date rather than an offset.

This works perfectly well; from 2 day ago to 1 days ago, a 24 hour span:

<earliest>-2d@h</earliest>
<latest>-1d@h</latest>

I referred to this documentation: https://docs.splunk.com/Documentation/Splunk/9.1.1/Search/Specifytimemodifiersinyoursearch#:~:text=For%20exact%20time%20ranges%2C%20the,April%2027%2C%202022. and their example for search bar is:

earliest=04/19/2022:00:00:00 latest=04/27/2022:00:00:00

However, trying to apply that to my dashboard, the below gives me: Invalid earliest_time.

<earliest>11/13/2023:00:00:00</earliest>
<latest>11/14/2023:00:00:00</latest>

Answer 1

The cited docs are for specifying earliest and latest in SPL, but that's not what's happening here. This is a Simple XML dashboard with different rules. Simple XML requires earliest and latest to be either a relative time or a Unix epoch. See "Child Elements" at https://docs.splunk.com/Documentation/Splunk/9.1.2/Viz/PanelreferenceforSimplifiedXML#search

Answer 2

You can use a time picker, and then select from it the earliest and latest in your search

Say you name your time picker timetok

The search would look like this:

index=ndx sourcetype=srctp earliest=$timetok.earliest$ latest=$timetok.latest$ ...