All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get date picker to work with dates output by DBX and Oracle

chazaswell
New Member
‎02-22-2017 04:06 PM

I have tried using column names such as DATE, TIMESTAMP, EVENTDATE when selecting data from an Oracle timestamp field. The search date picker just ignores my selecting Today, Last Week, etc. I know I can write custom SQL to find the correct records, but would like to leave the user the ability to select dates using date picker. Do I need a specific column name with a particular date format? There must be a way to do this. Thanks.

0 Karma
Reply

neusse
Path Finder
‎08-28-2017 04:14 PM

I don't agree that there are two types of time ranges from the time picker. Everything derives down to earliest and latest. It is really very simple. I have setup a macro that actually manages this. This allows the time picker to be transparent for the user. It only requires a small statement in the SQL like between.

makeresults
|addinfo
| eval info_max_time=if( info_max_time="+Infinity",now(),info_max_time)
| eval olate = strftime( info_max_time, "%Y-%m-%d %H:%M:%S.%3N" )
| eval oearl = strftime( info_min_time, "%Y-%m-%d %H:%M:%S.%3N" )
| map search="dbxquery yada yada \"select \"$X$\" from $table$ where $checkvar$ between to_timestamp('$oearl$', 'YYYY-MM-DD hh24:mi:ss.ff') and to_timestamp('$olate$', 'YYYY-MM-DD hh24:mi:ss.ff') \""
| eval _time=$checkvar$

This is the jist of what goes in the macro for Oracle. The date conversions would be different for other SQL. It works very well and is transparent.

Regards,

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎02-23-2017 12:23 PM

The Splunk time selector element allows users to switch from exact time representations (between then and now) and relative time representations (earlier than a week ago). Unfortunately the SQL needed to handle these two types of time is different, so customization of the form to limit available time input formats is advised.

0 Karma
Reply

neusse
Path Finder
‎06-10-2019 07:41 AM

I downvoted this post because this statement of non compatibility of time is inaccurate.

0 Karma
Reply

neusse
Path Finder
‎06-10-2019 07:40 AM

My answer below actually fixes this issue between SQL and Splunk and allow for the fixed timepicker values to be passed into a SQL query and return correct results.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top