Archive

Custome Time picker

in below query its showing time picker data or time as per time picker. but i want if i select last 30 days in time picker it should show date of last 30 days ,if i select date range it should be show same date in my coloum and if select last last month it should be showing date on start date

tsest _time

<input type="time" token="timepicker">
  <label></label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
</input>


<panel>
  <table>
    <search>
      <query>| makeresults |eval start_date="$timepicker.earliest$", end_date="$timepicker.latest$"|table start_date,end_date</query>
      <earliest>$timepicker.earliest$</earliest>
      <latest>$timepicker.latest$</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">20</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">none</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
  </table>
</panel>
Tags (1)
0 Karma

Path Finder

Is your issue fixed?

0 Karma

Legend

@abhishekdubey006 refer to one of my older answer where based on the time picker selection, the earliest and latest time is set as String Time and Epoch Time (along with duration) using two options. https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

Hi,

As per my understanding, I have designed the below query which prints the start date and end date according to the date selected in the time picker,

| makeresults
| eval start_date="$timepicker.earliest$", end_date="$timepicker.latest$"
| eval x = if(isnum(start_date),start_date,relative_time(now(), start_date))
| eval y = if(isnum(end_date),end_date,case(end_date == "now", now(), end_date == "", now(), 1=1,relative_time(now(), end_date)))
| convert timeformat="%d-%m-%Y %H:%M:%S" ctime(x) AS StartDate
| convert timeformat="%d-%m-%Y %H:%M:%S" ctime(y) AS EndDate
| table StartDate, EndDate

It handles all the cases, which are present in the time picker except real time as make result doesn't support that.
Supported cases are given below,

  • presets
  • relative
  • date range
  • date and time range
  • advanced

Note:

  • In case you select any time range in which the time interval becomes [beginning of time, any time] then the start date will be empty.

Happy Splunking!!!

0 Karma

Splunk Employee
Splunk Employee

Hi.

If you are looking to display the date, you can do the following:

| makeresults |stats earliest(_time) as start_date, latest(_time) as end_date 
|eval start_date=strftime(start_date, "%D"), end_date=strftime(end_date, "%D")
|table start_date,end_date
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!