topic Query for multi time fields in Dashboards & Visualizations

Query for multi time fields

thomas6m — Wed, 30 Sep 2020 05:08:24 GMT

Hi Team,

We have three time fields

Time - Indexed time( CSV file uploaded time)
Last_uploaded - Microservices latest deployed time
Running_since - Microservices start time

All time fields are in "%+" (Fri Apr 24 05:00:20 +08 2020) format and are in the same timezone

Below fields are getting pushed to splunk through csv file

Time,Org,Space,Microservices,State,Stack,Buildpacks,Last_uploaded,Total_instance,Running_instance,Instance_state,Running_since,Used_CPU,Used_memory_bytes,Total_memory_bytes,Used_disk_bytes,Total_disk_bytes

Please help in how to create input panel for Last_uploaded, Running_since & what would be the query for the below requirement

How to query all microservices deployed between particular dates example ( 14th April to 16th April )
How many microservices were started between particular days example ( 17th April to 20th April )

Tired few options but no luck luck

| eval _time=strptime(Time,"%+") | eval Latest_deployment_time=strptime(Last_uploaded,"%+") | eval Instance_start_time=strptime(Running_since,"%+")

Regards,
Thomas Mathias

Re: Query for multi time fields

to4kawa — Fri, 24 Apr 2020 23:09:33 GMT

use stats count with time picker
use timechart with rename Running_since as _time

Re: Query for multi time fields

thomas6m — Wed, 30 Sep 2020 05:13:29 GMT

Thanks for your response. I am trying with single static table panel. Based on input panel selection, it should display the result. I will have the below input panels and they are interconnected. Based on user selection, it will display the result

Time,Org,Space,Microservices,State,Buildpacks,Last_uploaded,Total_instance,Running_instance,Instance_state,Running_since

Re: Query for multi time fields

to4kawa — Sat, 25 Apr 2020 00:24:15 GMT

What's your query?
I can't make query with no log.

Re: Query for multi time fields

DalJeanis — Tue, 28 Apr 2020 18:03:25 GMT

Basically, you need to turn those nasty time formats into internal formats, which if I've decoded this correctly will look like this:

| eval time_Uploaded = strptime(Last_uploaded,"%a %b %d %H:%M:%S %:::z %Y")

then compare to your datestamps, which you will have calculated in your dash but I'll put in hard code here.

| where time_Uploaded >= strptime("2020-04-14","%Y-%m-%d") 
    AND   time_Uploaded < strptime("2020-04-17","%Y-%m-%d")

Since these aren't the event _time or _indextime, which splunk can search on using its special time references, it may be easier, dash-wise, to have a time picker kick off a null search that returns the start and end times you want in tokens, so you don't have to deal with "now" or "-1d" or any other funky time formats.