Archive

Date formats on passing tokens from drilldown

Explorer

I have a table on dash1 with _time in Column 1 showing in format %Y-%m-%d %H:%M:%S.nnn (not sure how to show milliseconds). This is the drilldown :

<drilldown target="blank">
          <link>dash2?form.inhost=$row.host$&amp;form.intime=$row._time$</link>
</drilldown>

The token $row._time$ gets passed correctly into dash2, and is used In the following query :

<query>index=camlog host=$form.inhost$ log_level=* earliest=$form.intime$ | table _time log_timestamp host log_level log_thread log_msg | sort log_timestamp</query>

I get the message "Invalid value "2017-03-09T08:44:10.798+00:00" for time term 'earliest' ". As a test I substituted $form.intime$ with "03/09/2017:08:44:00" and it works perfectly.

So it's obvious that I am passing _time from dash1 to dash2 in a format which earliest in the dash2 query is not expecting. I would really appreciate an explanation as to how this happens and advice on where and how to reformat the date so that earliest works.

Many thanks

Tags (1)
0 Karma

Super Champion

this is a great reference for date/time formats
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables
3 milliseconds is shown as %3N

if the time needs to be reformatted before being passed into that query, you could probably do a token eval.
http://docs.splunk.com/Documentation/Splunk/6.5.3/Viz/tokens#Define_token_filtering_and_formatting
maybe something like:

<eval token="new_token">convert mktime($row._time$) timeformat="%Y-%m-%d %H:%M:%S.%3N"</eval>
<eval token="row._time">convert ctime($new_token$) timeformat="%m/%d/%Y:%H:%M:%S"</eval>
0 Karma

Explorer

Thanks. I tried this and the token I pass appears not to be a reformatted date ie it's the same as before. I am thinking that row._time is imutable, perhaps?!?! If I use my own variable name for the token then this passes "NaN" as the date token, which suggests that it is doing the conversion and failing. I cqan't see anything wrong with the code :

<drilldown target="blank">
          <eval token="new_token">convert mktime($row._time$) timeformat="%Y-%m-%d %H:%M:%S.%3N"</eval>
          <eval token="row._time">convert ctime($new_token$) timeformat="%m/%d/%Y:%H:%M:%S"</eval>

          <link>dash2?form.inhost=$row.host$&amp;form.intime=$row._time$</link>
</drilldown>
0 Karma