Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Custom time in search bar is not working

gaspnico57
Engager
‎07-05-2019 12:29 AM

Hello everyone!

I am trying to change the time range in the search bar but i am not able to get the time i want...
Here is a screenshot of what i get :
alt text

Do you have any idea of why i get these results?
In my query i do : eval _time=my_unix_time_column | eval nowstring=strftime(now(), "%Y-%m-%d")
My highest value : 1558539900 and my lowest one : 1545145873

Thank you very much!

Preview file
65 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎07-06-2019 03:05 PM

Fix your props.conf to set _time to the correct value. In the meantime, set your Time picker to something appropriately large and then do your search and tack on this:

... | where YourOtherTimeField >= relative_time(now(), "-90d")
0 Karma
Reply

niketn
Legend
‎07-05-2019 05:34 AM

@gaspnico57 please add more details to your question. What is it that you are trying to do and what is not working as expected.

Based on the query snippet, you are overriding _time with my_unix_time_column and showing current day as string time with YYYY-mm-dd format. It does not say what is the issue you are facing.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

gaspnico57
Engager
‎07-05-2019 05:41 AM

Hello @niketnilay,
Thank you for your answer!

I would like to have these result but only for the 90 last days and as you can see, i have _time values from 2018.

It's not normal, is it?

0 Karma
Reply

niketn
Legend
‎07-05-2019 06:00 AM

The time range picker value applies to Event Timestamp field which is _time. If you want to apply Time Range Filter to my_unix_time_column you should enable the same through props.conf while indexing the data by picking up the correct timestamp for the event.

As a workaround (non-efficient) you would need to get the epoch time from Time range picker and apply the same to my_unix_time_column field in your data. However, the search query would need to run for all time or with buffer time to ensure that all events with my_unix_time_column in the range of Time Picker earliest and latest epoch is pulled from index.

Refer to one of my older answers to set earliest and latest epoch time from Time Range filter. https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...