https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-timestamp-conversion-for-dashboard/m-p/366394#M41688 <P>When I have date stamps in my lookup files and want to filter results based on date, I don't use the time tokens, because there are so many variations and edge cases. Instead, I do this:</P> <PRE><CODE>| addinfo | where info_min_time&lt;=whatever_start_date_time AND info_max_time&gt;=whatever_end_time | fields - info_* </CODE></PRE> <P>The <CODE>addinfo</CODE> command will add four fields to every event - <CODE>info_max_time</CODE> (equivalent to the $latest$ token, but always in epoch format), <CODE>info_min_time</CODE> (equivalent to the $earliest$ token, but always in epoch format), <CODE>info_search_time</CODE> (when the search was run), and <CODE>info_sid</CODE> (a unique ID assigned to the search).</P> <P>The line <CODE>| fields - info_*</CODE> is just to remove those fields after I've used them for comparisons.</P> Fri, 27 Apr 2018 14:14:28 GMT elliotproebstel 2018-04-27T14:14:28Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-timestamp-conversion-for-dashboard/m-p/366393#M41687 <P>Hi, I have a lookup table which has the list of email id's and the dates they logged into the application as below, </P> <P>Username time<BR /> <A href="mailto:testuser1@gmail.com">testuser1@gmail.com</A> 03/31/2018<BR /> <A href="mailto:testuser2@gmail.com">testuser2@gmail.com</A> 03/30/2018</P> <P>if I use the date range on the Splunk dashboard, the query is working without any issue, because it shows the timestamp on the query, but if I choose the present timeframe such as last 1 day, last 30 minutes, it is populating as now and -15m, I'm unable to convert the time format, Could anyone please help me to resolve the issue?</P> <P>Query Format - <BR /> | eval mytime1=strftime($time.latest$,"%Y%m%d") <BR /> | eval mytime2=strftime($time.earliest$,"%Y%m%d") <BR /> | where mytime &lt;= mytime1 and mytime &gt;= mytime2</P> <P>Present time frame-<BR /> | eval mytime1=strftime(now,"%Y%m%d") <BR /> | eval mytime2=strftime(-15m,"%Y%m%d") <BR /> | where mytime &lt;= mytime1 and mytime &gt;= mytime2</P> <P>Date range - <BR /> | eval mytime1=strftime(1516942800,"%Y%m%d") <BR /> | eval mytime2=strftime(1514782800,"%Y%m%d") <BR /> | where mytime &lt;= mytime1 and mytime &gt;= mytime2</P> <P>Thanks,<BR /> Dhana</P> Fri, 27 Apr 2018 13:35:47 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-timestamp-conversion-for-dashboard/m-p/366393#M41687 dhanasekarjanak 2018-04-27T13:35:47Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-timestamp-conversion-for-dashboard/m-p/366394#M41688 <P>When I have date stamps in my lookup files and want to filter results based on date, I don't use the time tokens, because there are so many variations and edge cases. Instead, I do this:</P> <PRE><CODE>| addinfo | where info_min_time&lt;=whatever_start_date_time AND info_max_time&gt;=whatever_end_time | fields - info_* </CODE></PRE> <P>The <CODE>addinfo</CODE> command will add four fields to every event - <CODE>info_max_time</CODE> (equivalent to the $latest$ token, but always in epoch format), <CODE>info_min_time</CODE> (equivalent to the $earliest$ token, but always in epoch format), <CODE>info_search_time</CODE> (when the search was run), and <CODE>info_sid</CODE> (a unique ID assigned to the search).</P> <P>The line <CODE>| fields - info_*</CODE> is just to remove those fields after I've used them for comparisons.</P> Fri, 27 Apr 2018 14:14:28 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-timestamp-conversion-for-dashboard/m-p/366394#M41688 elliotproebstel 2018-04-27T14:14:28Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-timestamp-conversion-for-dashboard/m-p/366395#M41689 <P>Thank you so much! it worked. </P> <P>Dhana</P> Fri, 27 Apr 2018 15:46:44 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-timestamp-conversion-for-dashboard/m-p/366395#M41689 dhanasekarjanak 2018-04-27T15:46:44Z