topic Re: Converting relative time into epoch for the time range picker in Splunk Search

Converting relative time into epoch for the time range picker

Svill321 — Mon, 21 Aug 2017 14:03:38 GMT

Good day,

Recently, I worked on a project that required me to set up a way for users to retrieve records from SQL with varying dates. I was able to set it up to run so that they can pick explicit dates to search between with an eval statement:

[dbxquery here] | eval submitdate_epoch=strptime(submit_date, "%Y-%m-%d %H:%M:%S.%N") | search submitdate_epoch>=$timetok1.earliest$ AND submitdate_epoch<=$timetok1.latest$

However, to make things easier for the user, I'd like to also include a way to pass relative time into the search, such as "now" or "7 days ago". Is there any way to do this, and if so, can you point me towards it?

Thank you.

Re: Converting relative time into epoch for the time range picker

niketn — Mon, 21 Aug 2017 15:24:07 GMT

Since Time Token change event does not handle tokens for time, following is the workaround to achieve this:

1) Create Time input token with token name as timetok1

  <fieldset submitButton="false">
    <input type="time" token="timetok1" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-5m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>

2) Add a dummy search to get time input tokens $timetok1.earliest$ and $timetok1.latest$ . Then access the default search handler tokens $job.earliesTime$ and $job.latestTime$

  <search>
    <query>|makeresults
    </query>
    <earliest>$timetok1.earliest$</earliest>
    <latest>$timetok1.latest$</latest>
    <progress>
      <eval token="tokEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
      <eval token="tokLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
    </progress>
  </search>

PS: Use eval tag to convert String time to Epoch using strptime()
3) Use tokens tokEarliest and tokLatest in your other searches in the dashboard which are epoch time.

Re: Converting relative time into epoch for the time range picker

Svill321 — Mon, 21 Aug 2017 17:06:29 GMT

This worked beautifully. Thank you so much!

Re: Converting relative time into epoch for the time range picker

niketn — Mon, 21 Aug 2017 17:20:43 GMT

Anytime! 🙂

Re: Converting relative time into epoch for the time range picker

isanchez — Wed, 03 Jan 2018 17:28:26 GMT

Great solution!

Re: Converting relative time into epoch for the time range picker

isanchez — Wed, 03 Jan 2018 17:29:05 GMT

Great solution!

Re: Converting relative time into epoch for the time range picker

gt_dev — Fri, 20 Jul 2018 18:16:41 GMT

I have been looking for this answer for about 3 hours today. Thank you very much!

Re: Converting relative time into epoch for the time range picker

niketn — Fri, 20 Jul 2018 21:15:18 GMT

I had updated my answer with two approaches (on similar idea of using an independent search as mentioned above). Please refer to that as well.

https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

Re: Converting relative time into epoch for the time range picker

kkrishnan_splun — Fri, 19 Oct 2018 14:07:08 GMT

@niketnilay Thank you so much. Your solution is very elegant.

Is there a way to do this from an independent search window as opposed to within a dashboard ?

Re: Converting relative time into epoch for the time range picker

niketn — Sun, 21 Oct 2018 03:35:12 GMT

@kkrishnan_splunk kkrishnanthe possibility would be to use

  | makeresults
  | fields - _time
  | addinfo
  | fields info_min_time, info_max_time
   | map search="<yourActualSearchWith$info_min_time$And$info_max_time$>"

If this does not work or help please explain a bit more on your use case.