Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Date formatting in dashboard studio?

wkrupinsky
Explorer
‎11-30-2022 11:25 AM

I am using a single value in a dashboard, it is only showing a date, but I cannot get the date to format the way want it on the dashboard. My search string is: index=conmon earliest=11/23/2022:00:00:00 dedup LASTMODIFIED eval tst = strftime(strptime(LASTMODIFIED, %Y-%m-%d), %Y-%m-%d) fields tst

want 11-23-2022 , but continue to get 2022-11-23T13:35:53-05:00

The search on its own brings back the value correctly, but not on the dashboard. Any help would b greatly appreciated.

Bill K

Labels (1)
Labels
0 Karma
Reply

wkrupinsky
Explorer
‎12-07-2022 05:29 AM

richgalloway, maybe this makes more sense, here is my search string: index=conmon earliest>="12/05/2022:00:00:00" | dedup _time | eval mytime=strftime(_time, "%F") | table mytime

as a search I get back the value correctly, when I use this search in a dashboard singlevalue panel, i get utc with time as the value showing

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-07-2022 12:05 PM

I can't reproduce this problem.  The query displays times in my selected time zone in both the search window and in a dashboard.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

wkrupinsky
Explorer
‎11-30-2022 02:30 PM

richgalloway, changing the format did not help. LASTMODIFIED doe snot come up as a choice, just _time or tst(null) as the selected data field. it is date time. but a string in the data itself

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-01-2022 06:55 AM

What do you mean by "LASTMODIFIED does not come up as a choice"? Is LASTMODIFIED a field? If not then why is it in the query?

Please share sanitized sample events if you need help extracting LASTMODIFIED.

---
If this reply helps you, Karma would be appreciated.
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-30-2022 11:53 AM

The format string in strftime is incorrect. Try "%m-%d-%Y".

index=conmon earliest=11/23/2022:00:00:00 
| dedup LASTMODIFIED 
| eval tst = strftime(strptime(LASTMODIFIED, "%Y-%m-%d"), "%m-%d-%Y") 
| fields tst
---
If this reply helps you, Karma would be appreciated.
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-30-2022 12:16 PM

That depends, however, on the format of the LASTMODIFIED field. Would you please share that?

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...