topic Re: How to use date-time field from event as span for search in Dashboard in Splunk Search

How to use date-time field from event as span for search in Dashboard

tkwaller_2 — Tue, 29 Sep 2020 18:52:14 GMT

Hello

I have a field in my events that is named info_date_resReviewed in format "2017-09-24 00:00:00" and I'd like to use it as search delimiters. So really you could enter an earliest/latest "info_date_resReviewed" and get results based on the span of this field.

So
earliest ="info_date_resReviewed" and latest="info_date_resReviewed"

I was thinking dropdowns with available "info_date_resReviewed" and then using the tokens but havent gotten it to work. Any suggestions?

Thanks!

Re: How to use date-time field from event as span for search in Dashboard

adonio — Wed, 04 Apr 2018 15:18:13 GMT

hello there,
splunk can use this format: "10/5/2016:20:00:00" for earliest= and latest=
first, modify your time to match this format using strptime or convert or other method.
than you can create a form input for earliest and latest, have the form inputs for latest dynamic and present only values greater than the value you chose for earliest to avoid conflict
create a dashboard with search/es, panels (or base search) that starts with earliest="$earliest$" latest="$latest$" and add your queries.

hope it helps