Dashboards & Visualizations

Display condition based result in dashboard (time comparison)

nilanjankc
New Member

Hi
I am New to Splunk
I have created one dashboard like below
ProcessName LastUpdated
ProcessA 2019-05-16 14:42:21.12
ProcessB 2019-05-16 14:50:21.12
ProcessC 2019-05-16 14:55:21.12

But now I have to show only those data/results where the difference between EventTimeand LastUpdated is greater than 10 minutes
I have written a search
*index=test source=testSource | table ProcessName LastUpdated |eval diff = _time - strptime(LastUpdated, "%Y-%m-%d %H:%M:%S")| where diff >= 600 *

But I am getting empty result/No reslut though there are some records which fulfills my criteria.

can anyone help ..

Tags (1)
0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@nilanjankc ,

You dont have the _time in your final result because your are restricting the fields to ProcessName , LastUpdated by using the table command. Include _time as well in the table and you should be fine.

Also worth to check the time format and include microseconds if its needed

Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@nilanjankc ,

You dont have the _time in your final result because your are restricting the fields to ProcessName , LastUpdated by using the table command. Include _time as well in the table and you should be fine.

Also worth to check the time format and include microseconds if its needed

Happy Splunking!
0 Karma

nilanjankc
New Member

Thank you for your help,its working now

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...