topic How to use TimePicker on CSV in Splunk Search

How to use TimePicker on CSV

harshal_chakran — Fri, 20 Mar 2015 15:53:45 GMT

Hi,
I have a csv file as shown below:

DATE VALUE 1-Jan 2 02-Jan 3 04-Jan 5 05-Jan 4 06-Jan 7 07-Jan 88 08-Jan 09 09-Jan 77 10-Jan 7 11-Jan 66 12-Jan 34 13-Jan 234 14-Jan 23 15-Jan 4 16-Jan 4

I am creating a dashboard with time picker, where result is shown as per my time range selection.
I have used following xml code for the same.

 <form>
     <label>Timechart for drilldown</label>
     <fieldset autoRun="true" submitButton="false">
     <input type="time" searchWhenChanged="true" token="dashboardTime">
       <default>
         <earliestTime></earliestTime>
         <latestTime>now</latestTime>
       </default>
     </input>
     </fieldset>
     <row>
     <chart>
       <searchString>|inputcsv NETWORK.csv|eval _time=strptime(DATE,"%d-%b")|table _time VALUE</searchString>
       <earliestTime>$dashboardTime.earliest$</earliestTime>
       <latestTime>$dashboardTime.latest$</latestTime>
       <option name="charting.chart">column</option>
       <option name="charting.chart.nullValueMode">gaps</option>
       <option name="charting.drilldown">all</option>
     </chart>
     </row>
 </form>

No matter what I select, the complete result like 1-Jan to 16-Jan is always displayed in dashboard.
What wrong I am doing here.
Please Help...!!!

Re: How to use TimePicker on CSV

emiller42 — Fri, 20 Mar 2015 15:57:26 GMT

The problem is that your search doesn't evaluate what _time should be until AFTER your dashboard has applied the time to the search. With how this is built, the search is effectively:

search earliest=$dashboardTime.earliest$ latest=$dashboardTime.latest$ | inputcsv NETWORK.csv | ...

So what you need to do is explicitly put the time filtering AFTER the inputcsv.

      <chart>
        <searchString>|inputcsv NETWORK.csv|eval _time=strptime(DATE,"%d-%b")| search earliest=$dashboardTime.earliest$ latest=$dashboardTime.latest$ | table _time VALUE</searchString>
        <option name="charting.chart">column</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.drilldown">all</option>
      </chart>

Re: How to use TimePicker on CSV

cpetterborg — Fri, 20 Mar 2015 16:03:59 GMT

I think you are assuming that the date that you have in your first column is going to be the date that it will use for the event, which is not the case because it is not a complete date. It is going to use the date of the file or the date of indexing, depending on the way you are putting the data into Splunk.

Use a complete date in the column and you might get the results you are expecting. A date like "01-Jan-15 00:00:00" is a complete date and Splunk will respect the date for the event (read: line or row).

With a proper date, then timestamp for the row will be able to be used with the timepicker because the event _time will match the data on the row.