Hi, i have a dashboard done up with a time range filter. By default, the time range filter is using _time to scope the results, how do i change the time range filter such that I can have "my_epoch_time" to be the time range filter instead of _time?
Basically, you want a time range picker to control something other than earliest and latest.
Just add a custom time range picker, give it an appropriate tag, and add the tag into the search language.
start with the accepted answer on this one... https://answers.splunk.com/answers/204440/dashboard-how-to-use-time-range-input-value-in-oth.html ... and modify so that the earliest=
and latest=
in the populating search are the fixed dates that you used when inputting your data, while my_epoch_time
is tested against the time picker values.
earliest=(the first date that this data could be) latest=(after the last date this could be)
(my_epoch_time>="$global_time.earliest$" AND my_epoch_time<="$global_time.latest$")
...the rest of your search terms...
Basically, you want a time range picker to control something other than earliest and latest.
Just add a custom time range picker, give it an appropriate tag, and add the tag into the search language.
start with the accepted answer on this one... https://answers.splunk.com/answers/204440/dashboard-how-to-use-time-range-input-value-in-oth.html ... and modify so that the earliest=
and latest=
in the populating search are the fixed dates that you used when inputting your data, while my_epoch_time
is tested against the time picker values.
earliest=(the first date that this data could be) latest=(after the last date this could be)
(my_epoch_time>="$global_time.earliest$" AND my_epoch_time<="$global_time.latest$")
...the rest of your search terms...
Absolutely - earliest
and latest
are most useful. For reference - How do I extract the second from _time?
@esmonder, if your dashboard is based on your custom time field and you want your Time input also to be based on your custom time field, you should reconsider your Event Timestamp during your data ingestion. While what you have asked is possible, but will have severe performance impact on your dashboard.
Can you provide following additional details?
1) Is the _time used in your dashboard or all of your dashboards/reports/alerts based on your custom time field?
2) If _time is going to be used, then what is the difference between _time and your custom time?
3) Can _time be used as a super set and then your custom time as subset filter? For example For last 1 week (via _time), pick events which fall under your custom time range.
4) Can you please post some examples with _time and your custom time? Mock up/anonymize sensitive data.
I have old logs sent from 2015-2017 and am trying to use these old logs to create some visualizations to make sense of them, as well as to test new logs that will be forwarded to splunk directly.
As we have just set up splunk only recently, our old logs are being channeled into splunk by sending them to splunk via email, thus the "_time" field is indicative of time of sending these logs into the splunk, but not indicative of the real time that they were logged. As such, _time is quite useless for us for these old logs.
Thus, we have a "my_epoch_time" field to was created at indexing time to indicate the real time of logging.
While ingesting older logs as well, you can tell Splunk to treat my_epoch_time
as event timestamp rather than actual time when the data is being inserted, using configurations like TIME_PREFIX
Refer to documentation:
http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps
http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition
You can a single old file and add to Splunk in Data Preview Mode to ensure your props.conf is reading time from my_epoch_time rather than defaulting to current time or file modified time.
Please involve Splunk Support in case you need assistance with Data Ingestion.