Splunk Search

Custome Time picker

abhishekdubey00
Engager

in below query its showing time picker data or time as per time picker. but i want if i select last 30 days in time picker it should show date of last 30 days ,if i select date range it should be show same date in my coloum and if select last last month it should be showing date on start date

tsest _time

<input type="time" token="timepicker">
  <label></label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
</input>


<panel>
  <table>
    <search>
      <query>| makeresults |eval start_date="$timepicker.earliest$", end_date="$timepicker.latest$"|table start_date,end_date</query>
      <earliest>$timepicker.earliest$</earliest>
      <latest>$timepicker.latest$</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">20</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">none</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
  </table>
</panel>
Tags (1)
0 Karma

splunk_sv
Path Finder

Is your issue fixed?

0 Karma

niketn
Legend

@abhishekdubey006 refer to one of my older answer where based on the time picker selection, the earliest and latest time is set as String Time and Epoch Time (along with duration) using two options. https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

splunk_sv
Path Finder

Hi,

As per my understanding, I have designed the below query which prints the start date and end date according to the date selected in the time picker,

| makeresults
| eval start_date="$timepicker.earliest$", end_date="$timepicker.latest$"
| eval x = if(isnum(start_date),start_date,relative_time(now(), start_date))
| eval y = if(isnum(end_date),end_date,case(end_date == "now", now(), end_date == "", now(), 1=1,relative_time(now(), end_date)))
| convert timeformat="%d-%m-%Y %H:%M:%S" ctime(x) AS StartDate
| convert timeformat="%d-%m-%Y %H:%M:%S" ctime(y) AS EndDate
| table StartDate, EndDate

It handles all the cases, which are present in the time picker except real time as make result doesn't support that.
Supported cases are given below,

  • presets
  • relative
  • date range
  • date and time range
  • advanced

Note:

  • In case you select any time range in which the time interval becomes [beginning of time, any time] then the start date will be empty.

Happy Splunking!!!

0 Karma

nvanderwalt_spl
Splunk Employee
Splunk Employee

Hi.

If you are looking to display the date, you can do the following:

| makeresults |stats earliest(_time) as start_date, latest(_time) as end_date 
|eval start_date=strftime(start_date, "%D"), end_date=strftime(end_date, "%D")
|table start_date,end_date
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...