topic Re: Compare current time vs fields time in Splunk Search https://community.splunk.com/t5/Splunk-Search/Compare-current-time-vs-fields-time/m-p/317196#M162639 <P>Here is a run anywhere dashboard that uses a recent answers post's sample data to demonstrate what I think you're looking for:</P> <PRE><CODE>&lt;form&gt; &lt;label&gt;622761&lt;/label&gt; &lt;fieldset submitButton="false"&gt; &lt;input type="checkbox" token="filter_expired" searchWhenChanged="true"&gt; &lt;label&gt;&lt;/label&gt; &lt;choice value="yes"&gt;Check for expired&lt;/choice&gt; &lt;delimiter&gt; &lt;/delimiter&gt; &lt;change&gt; &lt;condition value="yes"&gt; &lt;eval token="checked_result_value"&gt;"Status=Expired"&lt;/eval&gt; &lt;/condition&gt; &lt;condition&gt; &lt;eval token="checked_result_value"&gt;""&lt;/eval&gt; &lt;/condition&gt; &lt;/change&gt; &lt;/input&gt; &lt;/fieldset&gt; &lt;row&gt; &lt;panel&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt;| makeresults | eval Class_Date="2018-1-1" | append [| makeresults | eval Class_Date="2018-12-12"] | append [| makeresults | eval Class_Date="2017-1-2"] | append [| makeresults | eval Class_Date="2017-1-3"] | eval class_plus_one_year = relative_time(strptime(Class_Date, "%Y-%m-%d"), "+1y") | eval Status = if(now() &gt; class_plus_one_year, "Expired", "Valid") | search $checked_result_value$&lt;/query&gt; &lt;earliest&gt;-24h@h&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;sampleRatio&gt;1&lt;/sampleRatio&gt; &lt;/search&gt; &lt;option name="count"&gt;20&lt;/option&gt; &lt;option name="dataOverlayMode"&gt;none&lt;/option&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;option name="percentagesRow"&gt;false&lt;/option&gt; &lt;option name="rowNumbers"&gt;false&lt;/option&gt; &lt;option name="totalsRow"&gt;false&lt;/option&gt; &lt;option name="wrap"&gt;true&lt;/option&gt; &lt;/table&gt; &lt;/panel&gt; &lt;/row&gt; &lt;/form&gt; </CODE></PRE> Fri, 02 Mar 2018 02:18:25 GMT micahkemp 2018-03-02T02:18:25Z Compare current time vs fields time https://community.splunk.com/t5/Splunk-Search/Compare-current-time-vs-fields-time/m-p/317195#M162638 <P>I have a checkbox that when ticked I want it to compare the current time vs. the time of the values in a field of the panel. It would then only show the devices that exceed the current time. If unchecked all devices show regardless of time.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4452i0BEB6F82BB8DC118/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span><BR /> static option true = strftime(_time,"%m/%d/%Y %I:%M:%S %p")<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4453iEB5699DF83080584/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span> (Field I want to compare to)</P> Thu, 01 Mar 2018 19:48:36 GMT https://community.splunk.com/t5/Splunk-Search/Compare-current-time-vs-fields-time/m-p/317195#M162638 JoshuaJohn 2018-03-01T19:48:36Z Re: Compare current time vs fields time https://community.splunk.com/t5/Splunk-Search/Compare-current-time-vs-fields-time/m-p/317196#M162639 <P>Here is a run anywhere dashboard that uses a recent answers post's sample data to demonstrate what I think you're looking for:</P> <PRE><CODE>&lt;form&gt; &lt;label&gt;622761&lt;/label&gt; &lt;fieldset submitButton="false"&gt; &lt;input type="checkbox" token="filter_expired" searchWhenChanged="true"&gt; &lt;label&gt;&lt;/label&gt; &lt;choice value="yes"&gt;Check for expired&lt;/choice&gt; &lt;delimiter&gt; &lt;/delimiter&gt; &lt;change&gt; &lt;condition value="yes"&gt; &lt;eval token="checked_result_value"&gt;"Status=Expired"&lt;/eval&gt; &lt;/condition&gt; &lt;condition&gt; &lt;eval token="checked_result_value"&gt;""&lt;/eval&gt; &lt;/condition&gt; &lt;/change&gt; &lt;/input&gt; &lt;/fieldset&gt; &lt;row&gt; &lt;panel&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt;| makeresults | eval Class_Date="2018-1-1" | append [| makeresults | eval Class_Date="2018-12-12"] | append [| makeresults | eval Class_Date="2017-1-2"] | append [| makeresults | eval Class_Date="2017-1-3"] | eval class_plus_one_year = relative_time(strptime(Class_Date, "%Y-%m-%d"), "+1y") | eval Status = if(now() &gt; class_plus_one_year, "Expired", "Valid") | search $checked_result_value$&lt;/query&gt; &lt;earliest&gt;-24h@h&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;sampleRatio&gt;1&lt;/sampleRatio&gt; &lt;/search&gt; &lt;option name="count"&gt;20&lt;/option&gt; &lt;option name="dataOverlayMode"&gt;none&lt;/option&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;option name="percentagesRow"&gt;false&lt;/option&gt; &lt;option name="rowNumbers"&gt;false&lt;/option&gt; &lt;option name="totalsRow"&gt;false&lt;/option&gt; &lt;option name="wrap"&gt;true&lt;/option&gt; &lt;/table&gt; &lt;/panel&gt; &lt;/row&gt; &lt;/form&gt; </CODE></PRE> Fri, 02 Mar 2018 02:18:25 GMT https://community.splunk.com/t5/Splunk-Search/Compare-current-time-vs-fields-time/m-p/317196#M162639 micahkemp 2018-03-02T02:18:25Z