Dashboards & Visualizations

Changing _time for a dashboard to another time field

esmonder
Path Finder

Hi, i have a dashboard done up with a time range filter. By default, the time range filter is using _time to scope the results, how do i change the time range filter such that I can have "my_epoch_time" to be the time range filter instead of _time?

Tags (1)
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Basically, you want a time range picker to control something other than earliest and latest.

Just add a custom time range picker, give it an appropriate tag, and add the tag into the search language.

start with the accepted answer on this one... https://answers.splunk.com/answers/204440/dashboard-how-to-use-time-range-input-value-in-oth.html ... and modify so that the earliest= and latest= in the populating search are the fixed dates that you used when inputting your data, while my_epoch_time is tested against the time picker values.

  earliest=(the first date that this data could be) latest=(after the last date this could be)
  (my_epoch_time>="$global_time.earliest$" AND my_epoch_time<="$global_time.latest$")
 ...the rest of your search terms...

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Basically, you want a time range picker to control something other than earliest and latest.

Just add a custom time range picker, give it an appropriate tag, and add the tag into the search language.

start with the accepted answer on this one... https://answers.splunk.com/answers/204440/dashboard-how-to-use-time-range-input-value-in-oth.html ... and modify so that the earliest= and latest= in the populating search are the fixed dates that you used when inputting your data, while my_epoch_time is tested against the time picker values.

  earliest=(the first date that this data could be) latest=(after the last date this could be)
  (my_epoch_time>="$global_time.earliest$" AND my_epoch_time<="$global_time.latest$")
 ...the rest of your search terms...

View solution in original post

0 Karma

ddrillic
Ultra Champion

Absolutely - earliest and latest are most useful. For reference - How do I extract the second from _time?

0 Karma

niketnilay
Legend

@esmonder, if your dashboard is based on your custom time field and you want your Time input also to be based on your custom time field, you should reconsider your Event Timestamp during your data ingestion. While what you have asked is possible, but will have severe performance impact on your dashboard.

Can you provide following additional details?

1) Is the _time used in your dashboard or all of your dashboards/reports/alerts based on your custom time field?

2) If _time is going to be used, then what is the difference between _time and your custom time?

3) Can _time be used as a super set and then your custom time as subset filter? For example For last 1 week (via _time), pick events which fall under your custom time range.

4) Can you please post some examples with _time and your custom time? Mock up/anonymize sensitive data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

esmonder
Path Finder

@niketnilay

I have old logs sent from 2015-2017 and am trying to use these old logs to create some visualizations to make sense of them, as well as to test new logs that will be forwarded to splunk directly.

As we have just set up splunk only recently, our old logs are being channeled into splunk by sending them to splunk via email, thus the "_time" field is indicative of time of sending these logs into the splunk, but not indicative of the real time that they were logged. As such, _time is quite useless for us for these old logs.

Thus, we have a "my_epoch_time" field to was created at indexing time to indicate the real time of logging.

0 Karma

niketnilay
Legend

While ingesting older logs as well, you can tell Splunk to treat my_epoch_time as event timestamp rather than actual time when the data is being inserted, using configurations like TIME_PREFIX

Refer to documentation:
http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps
http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition

You can a single old file and add to Splunk in Data Preview Mode to ensure your props.conf is reading time from my_epoch_time rather than defaulting to current time or file modified time.

Please involve Splunk Support in case you need assistance with Data Ingestion.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!