Can you help me pass earliest and latest time toke...

Deepz2612 · ‎04-01-2019

Hi,

I have the Begin time and End time as below for an event (which is again extracted using another query)

Begin time : 4:43:55:336 AM
End time : 4:53:00:00 AM

I wanted to pass this earliest and latest time for another panel in the dashboard.

Could you kindly help

Deepz2612 · ‎04-01-2019

I'm sorry..
Begin time and End time will have the date as well. I missed to add it.
Begin time : 04/01/2019 4:43:55:336 AM
End time : 04/01/2019 4:53:00:00 AM

kamlesh_vaghela · ‎04-01-2019

@Deepz2612
You have the Begin time and End time!! But what date you want to consider ?? Current date?

In case of the current date, you can update your another search with below search logic to get Begin_time and End_time.

| makeresults 
| eval date=strftime(now(),"%Y-%m-%d") 
| eval Begin_time=strptime(date." 4:43:55:336 AM","%Y-%m-%d %H:%M:%S:%3Q")
| eval End_time=strptime(date." 4:53:00:00 AM","%Y-%m-%d %H:%M:%S:%3Q")

Here I have used your provided static value as Begin_time and End_time. You can use your filed name also.
In the date field you can mention your required date as well.

[UPDATED]

Consider below search.

| makeresults 
| eval Begin_time=strptime("04/01/2019 4:43:55:336 AM","%d/%m/%Y %H:%M:%S:%3Q")
| eval End_time=strptime("04/01/2019 4:53:00:00 AM","%d/%m/%Y %H:%M:%S:%3Q")

Thanks

kamlesh_vaghela · ‎04-01-2019

@Deepz2612

I have updated my answer. Please check it.

kamlesh_vaghela · ‎04-01-2019

@Deepz2612
You have the Begin time and End time!! But what date you want to consider ?? Current date?

Can you help me pass earliest and latest time tokens to another panel in a dashboard?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?