- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Splunk - timestamp conversion for dashboard
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I have a lookup table which has the list of email id's and the dates they logged into the application as below,
Username time
testuser1@gmail.com 03/31/2018
testuser2@gmail.com 03/30/2018
if I use the date range on the Splunk dashboard, the query is working without any issue, because it shows the timestamp on the query, but if I choose the present timeframe such as last 1 day, last 30 minutes, it is populating as now and -15m, I'm unable to convert the time format, Could anyone please help me to resolve the issue?
Query Format -
| eval mytime1=strftime($time.latest$,"%Y%m%d")
| eval mytime2=strftime($time.earliest$,"%Y%m%d")
| where mytime <= mytime1 and mytime >= mytime2
Present time frame-
| eval mytime1=strftime(now,"%Y%m%d")
| eval mytime2=strftime(-15m,"%Y%m%d")
| where mytime <= mytime1 and mytime >= mytime2
Date range -
| eval mytime1=strftime(1516942800,"%Y%m%d")
| eval mytime2=strftime(1514782800,"%Y%m%d")
| where mytime <= mytime1 and mytime >= mytime2
Thanks,
Dhana
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I have date stamps in my lookup files and want to filter results based on date, I don't use the time tokens, because there are so many variations and edge cases. Instead, I do this:
| addinfo
| where info_min_time<=whatever_start_date_time AND info_max_time>=whatever_end_time
| fields - info_*
The addinfo command will add four fields to every event - info_max_time (equivalent to the $latest$ token, but always in epoch format), info_min_time (equivalent to the $earliest$ token, but always in epoch format), info_search_time (when the search was run), and info_sid (a unique ID assigned to the search).
The line | fields - info_* is just to remove those fields after I've used them for comparisons.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much! it worked.
Dhana
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I have date stamps in my lookup files and want to filter results based on date, I don't use the time tokens, because there are so many variations and edge cases. Instead, I do this:
| addinfo
| where info_min_time<=whatever_start_date_time AND info_max_time>=whatever_end_time
| fields - info_*
The addinfo command will add four fields to every event - info_max_time (equivalent to the $latest$ token, but always in epoch format), info_min_time (equivalent to the $earliest$ token, but always in epoch format), info_search_time (when the search was run), and info_sid (a unique ID assigned to the search).
The line | fields - info_* is just to remove those fields after I've used them for comparisons.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
