How to have a graph display today's data by default NOT using default time



I am trying to figure out how to have my graphs display today's data based off of a field value and not the default event time stamps.

Here is my search to create the graph:

sourcetype=oracle:tablespacesize index=gwboracledb DBNAME="$dbname_filt$" TS_NAME="$ts_filt$"
| eval SNAP_DATE=strptime(SNAP_DATE,"%Y-%m-%d %H:%M:%S.%N")
| bin span=1d SNAP_DATE
| eval SNAP_DATE=strftime(SNAP_DATE,"%Y-%m-%d")
| eval today=relative_time(now(),"@d")
| search SNAP_DATE="$ts%date_filt$"
| eval USED_GB = USED_KB/1024/1024
| eval FREE_GB=FREE_KB/1024/1024
| chart sum(FREE_GB) as "FREE" sum(USED_GB) as "USED" over TS_NAME
| sort limit=10 -num("USED")

As you can see, I am using the "SNAP_DATE" field as the date values in my graph. I also have a dropdown menu element on my panel that gives you the option to select a snap date to view. For some reason, using the "now()" command in the "SNAP_DATE" does not return any values. I tried using an eval line to create a "today" value but that did not seem to work at all and will be removed after posting this.
How can I make it so that there is an option in this dropdown to display today's data?

Thanks for the help

0 Karma

Esteemed Legend

Ignore that you sort of know how to do it and pretend that you don't know anything other than what your events look like and what you need. Show us the events and describe what you need. Your existing search and description are confusing me.

0 Karma


Hi twmoffit,
you have to insert in your main search

earliest="$day$:00:00:00" latest="$day$:23:59:59"

where $day$ is the token of your dropdown.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!