Solved: Display condition based result in dashboard (time ...

nilanjankc · ‎07-02-2019

Hi
I am New to Splunk
I have created one dashboard like below
ProcessName LastUpdated
ProcessA 2019-05-16 14:42:21.12
ProcessB 2019-05-16 14:50:21.12
ProcessC 2019-05-16 14:55:21.12

But now I have to show only those data/results where the difference between EventTimeand LastUpdated is greater than 10 minutes
I have written a search
*index=test source=testSource | table ProcessName LastUpdated |eval diff = _time - strptime(LastUpdated, "%Y-%m-%d %H:%M:%S")| where diff >= 600 *

But I am getting empty result/No reslut though there are some records which fulfills my criteria.

can anyone help ..

renjith_nair · ‎07-02-2019

@nilanjankc ,

You dont have the _time in your final result because your are restricting the fields to ProcessName , LastUpdated by using the table command. Include _time as well in the table and you should be fine.

Also worth to check the time format and include microseconds if its needed

Happy Splunking!

View solution in original post

renjith_nair · ‎07-02-2019

@nilanjankc ,

You dont have the _time in your final result because your are restricting the fields to ProcessName , LastUpdated by using the table command. Include _time as well in the table and you should be fine.

Also worth to check the time format and include microseconds if its needed

Happy Splunking!

nilanjankc · ‎07-02-2019

Thank you for your help,its working now

Display condition based result in dashboard (time comparison)

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life