Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

can some one explain me the function of the below code in specific

pavanraghav
Explorer
‎11-27-2019 06:03 AM

| eval created_upper_token=if("$time_token.latest$"="" OR like("$time_token.latest$","%now%"),"@s","$time_token.latest$")
| eval created_lower_token=if("$time_token.earliest$"="",0,"$time_token.earliest$")
| replace "rt*" with * in created_upper_token
| replace "rt*" with * in created_lower_token
| eval created_lower_bound = if(isnum(created_lower_token), created_lower_token, relative_time(now(),created_lower_token))
| eval created_upper_bound = if(isnum(created_upper_token), created_upper_token, relative_time(now(),created_upper_token))
| where order_date >= created_lower_bound AND order_date <= created_upper_bound|

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

arjunpkishore5
Motivator
‎11-27-2019 07:24 AM

I've added comments to your query to help understand each line.

    | eval created_upper_token=if("$time_token.latest$"="" OR like("$time_token.latest$","%now%"),"@s","$time_token.latest$") 
`comment("This is setting created_upper_token to @s indicating last second if the value of $time_token.latest$ is now. If not use the same value as $time_token.latest$")` 
    | eval created_lower_token=if("$time_token.earliest$"="",0,"$time_token.earliest$") 
`comment("This is setting created_lower_token to 0 indicating 'All Time' if the value of $time_token.earliest$ is blank. If not use the same value as $time_token.latest$")`
    | replace "rt*" with in created_upper_token 
`comment("Replacing anything with rt* with some value in created_upper_token. Your formatting has removed some text, so not sure what the replacement value is")`
    | replace "rt" with * in created_lower_token  
`comment("Replacing anything with rt with * in created_lower_token. Your formatting may have removed some text, so not sure if the replacement value is *")`
    | eval created_lower_bound = if(isnum(created_lower_token), created_lower_token, relative_time(now(),created_lower_token)) 
`comment("Convert to absolute epoch time if the value is time specifier")`
    | eval created_upper_bound = if(isnum(created_upper_token), created_upper_token, relative_time(now(),created_upper_token)) 
`comment("Convert to absolute epoch time if the value is time specifier")`
    | where order_date >= created_lower_bound AND order_date <= created_upper_bound 
`comment("Filter")`

This basically looks like getting the time_token from a time input in a dashboard. The code is basically converting the values selected by the uses in the dashboard to epoch times so that it can be used in the filter. This is done to accommodate filters such as "Last 7 days" or "Month to Date" etc.

The intention is to filter the results based on order_time instead of _time

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-27-2019 09:52 AM

Let's break it down line by line:

| eval created_upper_token=if("$time_token.latest$"="" OR like("$time_token.latest$","%now%"),"@s","$time_token.latest$")
| eval created_lower_token=if("$time_token.earliest$"="",0,"$time_token.earliest$")

Those 2 lines capture the value of theTime picker.

| replace "rt*" with * in created_upper_token
| replace "rt*" with * in created_lower_token

Those 2 lines convert from realtime to NOT realtime.

| eval created_lower_bound = if(isnum(created_lower_token), created_lower_token, relative_time(now(),created_lower_token)) 
| eval created_upper_bound = if(isnum(created_upper_token), created_upper_token, relative_time(now(),created_upper_token))

If the values in the Time picker were integers, then use them. If they were relative time modifiers, then convert them to integers

| where order_date >= created_lower_bound AND order_date <= created_upper_bound|

That line filters the results set to those events between the Time picker bounds.

Reply
Solved! Jump to solution
Solution

arjunpkishore5
Motivator
‎11-27-2019 07:24 AM

I've added comments to your query to help understand each line.

    | eval created_upper_token=if("$time_token.latest$"="" OR like("$time_token.latest$","%now%"),"@s","$time_token.latest$") 
`comment("This is setting created_upper_token to @s indicating last second if the value of $time_token.latest$ is now. If not use the same value as $time_token.latest$")` 
    | eval created_lower_token=if("$time_token.earliest$"="",0,"$time_token.earliest$") 
`comment("This is setting created_lower_token to 0 indicating 'All Time' if the value of $time_token.earliest$ is blank. If not use the same value as $time_token.latest$")`
    | replace "rt*" with in created_upper_token 
`comment("Replacing anything with rt* with some value in created_upper_token. Your formatting has removed some text, so not sure what the replacement value is")`
    | replace "rt" with * in created_lower_token  
`comment("Replacing anything with rt with * in created_lower_token. Your formatting may have removed some text, so not sure if the replacement value is *")`
    | eval created_lower_bound = if(isnum(created_lower_token), created_lower_token, relative_time(now(),created_lower_token)) 
`comment("Convert to absolute epoch time if the value is time specifier")`
    | eval created_upper_bound = if(isnum(created_upper_token), created_upper_token, relative_time(now(),created_upper_token)) 
`comment("Convert to absolute epoch time if the value is time specifier")`
    | where order_date >= created_lower_bound AND order_date <= created_upper_bound 
`comment("Filter")`

This basically looks like getting the time_token from a time input in a dashboard. The code is basically converting the values selected by the uses in the dashboard to epoch times so that it can be used in the filter. This is done to accommodate filters such as "Last 7 days" or "Month to Date" etc.

The intention is to filter the results based on order_time instead of _time

0 Karma
Reply
Solved! Jump to solution

pavanraghav
Explorer
‎12-03-2019 01:01 AM

Hi arjun ,
thanks a lot for the explanation.

Can you please help me explaining the below code too :

| eval e="$time_token.earliest$", l="$time_token.latest$"| eval e=case(match(e,"^\d+$"),e,e="" OR e="now" , "0" , true(), relative_time(now(),e)) | eval l=case(match(l,"^\d+$"),l,l="" OR l="now" , "2145916800", true(), relative_time(now(),l))| eval e=tonumber(e) , l=tonumber(l) | where order_date >= e AND order_date <= l

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...