topic Re: How to parse a timestamp field from a user text input to use for the search time range? in Splunk Search

How to parse a timestamp field from a user text input to use for the search time range?

brianlee12 — Fri, 08 Jul 2016 17:52:52 GMT

Hi guys,

So I have an input field where the user inputs text in the format %y%m%d%H%M, for example 1607061700, which would be July 6th, 2016 5:00 PM. I would like to parse this input and set my search time range to be an hour before and 5 hours after this time. I've tried using subsearches and messing with the XML, but can't seem to get anything to work. Any help would be greatly appreciated. Thanks!

Re: How to parse a timestamp field from a user text input to use for the search time range?

sundareshr — Fri, 08 Jul 2016 18:26:50 GMT

Try this

<input type="text">
      <change>
        <eval token="e">strptime($value$, "%y%m%d%H%M")-3600</eval>
        <eval token="l">strptime($value$, "%y%m%d%H%M")+18000</eval>
      </change>
<input>

In your search query, use earliest=$e$ latest=$l$

Re: How to parse a timestamp field from a user text input to use for the search time range?

brianlee12 — Fri, 08 Jul 2016 21:28:04 GMT

For some reason, the resulting e and l values are earliest=946710000 latest=946731600 which translates to (12/31/99 11:00:00.000 PM to 1/1/00 5:00:00.000 AM). Not sure why strptime isn't parsing this correctly.

Re: How to parse a timestamp field from a user text input to use for the search time range?

sundareshr — Fri, 08 Jul 2016 21:31:49 GMT

Try this

<eval token="e">relative_time(strptime($value$, "%y%m%d%H%M"), "-1h")</eval>

Re: How to parse a timestamp field from a user text input to use for the search time range?

brianlee12 — Fri, 08 Jul 2016 22:12:08 GMT

Still the same result. The issue is with strptime not parsing the input correctly. strptime($value$, "%y%m%d%H%M") produces 1/1/00 12:00:00.000 AM which I'm assuming is the default or starting time.

Re: How to parse a timestamp field from a user text input to use for the search time range?

brianlee12 — Fri, 08 Jul 2016 22:23:51 GMT

Just did a little debugging. The issue is with the $value$ token which currently carries the value of null for some reason.

Re: How to parse a timestamp field from a user text input to use for the search time range?

sundareshr — Fri, 08 Jul 2016 22:27:09 GMT

I just tried this and I get right results

    <form>
      <label>Test Dashboard</label>
      <fieldset submitButton="false">
        <input type="text" token="t">
          <label>field1</label>
          <default>1607061700</default>
          <change>
            <eval token="e">relative_time(strptime($value$, "%y%m%d%H%M"), "-1h")</eval>
            <eval token="l">strptime($value$, "%y%m%d%H%M")+18000</eval>
          </change>
        </input>
      </fieldset>
      <row>
        <panel>
          <table>
            <title>$e$ ($l$)</title>
            <search>
              <query>| gentimes start=-1 | eval x="$e$" | eval y="$l$" | eval z=strftime(x, "%y-%m-%d %H:%M") | eval a=strftime(y, "%y-%m-%d %H:%M") | table x y z a</query>
              <earliest>-15m</earliest>
              <latest>now</latest>
            </search>
          </table>
        </panel>
      </row>
    </form>

Re: How to parse a timestamp field from a user text input to use for the search time range?

brianlee12 — Fri, 08 Jul 2016 22:35:04 GMT

Copy and pasted that into my dashboard and didn't work for me. Not sure why it could be something to do with splunk settings.

Re: How to parse a timestamp field from a user text input to use for the search time range?

sundareshr — Fri, 08 Jul 2016 22:37:05 GMT

which splunk version?

Re: How to parse a timestamp field from a user text input to use for the search time range?

brianlee12 — Fri, 08 Jul 2016 22:38:31 GMT

Splunk 6.3 what about you?

Re: How to parse a timestamp field from a user text input to use for the search time range?

sundareshr — Fri, 08 Jul 2016 22:50:05 GMT

I have version 6.4. Shouldn't make any difference. I tried using $t$ (token name for the text box) instead of $value$ , and I get the incorrect date.

Re: How to parse a timestamp field from a user text input to use for the search time range?

brianlee12 — Fri, 08 Jul 2016 22:54:39 GMT

Yeah I'm really not sure why $value$ is giving me null. $t$ and $t.value$ also don't work for me.

Re: How to parse a timestamp field from a user text input to use for the search time range?

sundareshr — Fri, 08 Jul 2016 22:58:01 GMT

Try using $t$ in the panel's search. See if you get the value there.

Re: How to parse a timestamp field from a user text input to use for the search time range?

brianlee12 — Fri, 08 Jul 2016 23:00:30 GMT

using $t$ in the search query works for me

Re: How to parse a timestamp field from a user text input to use for the search time range?

brianlee12 — Fri, 08 Jul 2016 23:02:50 GMT

Do you know any other way of doing this that might work?

Re: How to parse a timestamp field from a user text input to use for the search time range?

sundareshr — Fri, 08 Jul 2016 23:08:02 GMT

Since the $value$ is not working, try this approach in your panel's search

index=xyz  [| gentimes start=-1 | eval earliest=relative_time(strptime($t$, "%y%m%d%H%M"), "-1h") | eval latest=relative_time(strptime($t$, "%y%m%d%H%M"), "+5h") | table earliest latest]

Re: How to parse a timestamp field from a user text input to use for the search time range?

brianlee12 — Fri, 08 Jul 2016 23:08:25 GMT

Fixed the problem. Using value with no $ around it worked for me.