topic Re: Get values Time range in Splunk Search

Get values Time range

Jailson — Thu, 06 Mar 2025 16:22:58 GMT

I have a survey that has a date field deletion_date. How can I filter this field by the
Time range?

sourcetype=access_* status=200 action=purchase | top categoryId |where deletion_date > ?

Re: Get values Time range

kiran_panchavat — Thu, 06 Mar 2025 16:57:25 GMT

@Jailson

What exactly are you looking for? Could you elaborate a bit more?

Re: Get values Time range

gcusello — Thu, 06 Mar 2025 17:09:05 GMT

Hi @Jailson ,

the timepicker works only on _time and not on a field like deletion_date.

If you want to filter your data using this filter you have to add it to the main search.

In addition after the top command you have only the fields in the command, in your case: categoryId, perc, count.

If you want to filter your data for deletion_date, you have to put this filter in the main search or before the top command, obviously, if you have this field in your data.

The syntax depends on the format of yor deletion_date field, e.g. if it's in format "yyyy-mm-dd" and you want to filter results if deletion_date>2024-12-31, you should use something like this:

sourcetype=access_* status=200 action=purchase | eval deletion_date_epoch=strptime(deletion_date,"%Y-%m-%d"), deletion_date_filter_epoch=strptime("2024-12-31","%Y-%m-%d") | where deletion_date_epoch>deletion_date_filter_epoch | top categoryId

Ciao.

Giuseppe

Re: Get values Time range

livehybrid — Thu, 06 Mar 2025 22:35:17 GMT

Hi @Jailson

What time format is your deletion_date in?

If so and you plan to use this approach in a dashboard then you can use tokens from the time picker and relative_time to use the time picker as a filter. Note that you will still need to apply an earliest/latest to your main part of the search, this will only filter.

<form version="1.1" theme="light"> <label>xmltest</label> <fieldset submitButton="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <table> <search> <query>| makeresults | eval deletion_date=now()-7200 | where deletion_date>relative_time(now(),"$field1.earliest$")</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Re: Get values Time range

Jailson — Tue, 18 Mar 2025 18:52:39 GMT

Thank you for your help, it helped me a lot in solving my problem.

Re: Get values Time range

Jailson — Tue, 18 Mar 2025 18:53:19 GMT

Thank you all for your help, it helped me a lot in solving my problem.

Re: Get values Time range

gcusello — Wed, 19 Mar 2025 09:52:20 GMT

Hi @Jailson ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉