All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get date picker to work with dates output by DBX and Oracle

chazaswell
New Member
‎02-22-2017 04:06 PM

I have tried using column names such as DATE, TIMESTAMP, EVENTDATE when selecting data from an Oracle timestamp field. The search date picker just ignores my selecting Today, Last Week, etc. I know I can write custom SQL to find the correct records, but would like to leave the user the ability to select dates using date picker. Do I need a specific column name with a particular date format? There must be a way to do this. Thanks.

0 Karma
Reply

neusse
Path Finder
‎08-28-2017 04:14 PM

I don't agree that there are two types of time ranges from the time picker. Everything derives down to earliest and latest. It is really very simple. I have setup a macro that actually manages this. This allows the time picker to be transparent for the user. It only requires a small statement in the SQL like between.

makeresults
|addinfo
| eval info_max_time=if( info_max_time="+Infinity",now(),info_max_time)
| eval olate = strftime( info_max_time, "%Y-%m-%d %H:%M:%S.%3N" )
| eval oearl = strftime( info_min_time, "%Y-%m-%d %H:%M:%S.%3N" )
| map search="dbxquery yada yada \"select \"$X$\" from $table$ where $checkvar$ between to_timestamp('$oearl$', 'YYYY-MM-DD hh24:mi:ss.ff') and to_timestamp('$olate$', 'YYYY-MM-DD hh24:mi:ss.ff') \""
| eval _time=$checkvar$

This is the jist of what goes in the macro for Oracle. The date conversions would be different for other SQL. It works very well and is transparent.

Regards,

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎02-23-2017 12:23 PM

The Splunk time selector element allows users to switch from exact time representations (between then and now) and relative time representations (earlier than a week ago). Unfortunately the SQL needed to handle these two types of time is different, so customization of the form to limit available time input formats is advised.

0 Karma
Reply

neusse
Path Finder
‎06-10-2019 07:41 AM

I downvoted this post because this statement of non compatibility of time is inaccurate.

0 Karma
Reply

neusse
Path Finder
‎06-10-2019 07:40 AM

My answer below actually fixes this issue between SQL and Splunk and allow for the fixed timepicker values to be passed into a SQL query and return correct results.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...