I am trying to create a dashboard panel which will run one of the following email searches. There are a number of inputs which allow a user to filter exactly what he/she wants to search for.
- One input allows a user to select the search criteria (sender, recipient, source IP, message id, etc.)
- Another input allow the user to input the data being searched for.
- The last input is a time picker.
Each input is a separate token. So, if one wants to search for sender=john.doe@xyz.org, for example, those values (sender, john.doe@xyz.org) would each be passed to the search with tokens.
If the time selected from the time picker is within the last 24h, a search based on raw events (including index=, eventtype=, stats, etc.) should be run. If the time selected is historic (ie. more than 24h ago), I want to run a search based on a summary index (index=summary report=x).
I have been working to figure this out, but each attempt has been unsuccessful. Assistance with this will greatly be appreciated.
Thank you.
↧