Hello everyone!
I am trying to change the time range in the search bar but i am not able to get the time i want...
Here is a screenshot of what i get :
Do you have any idea of why i get these results?
In my query i do : eval _time=my_unix_time_column | eval nowstring=strftime(now(), "%Y-%m-%d")
My highest value : 1558539900 and my lowest one : 1545145873
Thank you very much!
Fix your props.conf to set _time
to the correct value. In the meantime, set your Time picker
to something appropriately large and then do your search and tack on this:
... | where YourOtherTimeField >= relative_time(now(), "-90d")
@gaspnico57 please add more details to your question. What is it that you are trying to do and what is not working as expected.
Based on the query snippet, you are overriding _time
with my_unix_time_column
and showing current day as string time with YYYY-mm-dd
format. It does not say what is the issue you are facing.
Hello @niketnilay,
Thank you for your answer!
I would like to have these result but only for the 90 last days and as you can see, i have _time values from 2018.
It's not normal, is it?
The time range picker value applies to Event Timestamp field which is _time. If you want to apply Time Range Filter to my_unix_time_column you should enable the same through props.conf while indexing the data by picking up the correct timestamp for the event.
As a workaround (non-efficient) you would need to get the epoch time from Time range picker and apply the same to my_unix_time_column
field in your data. However, the search query would need to run for all time or with buffer time to ensure that all events with my_unix_time_column
in the range of Time Picker earliest and latest epoch is pulled from index.
Refer to one of my older answers to set earliest and latest epoch time from Time Range filter. https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html