How do I use a date field as a parameter to filter...

rkanumula · ‎04-14-2015

Hi,

I am using join in a splunk dashboard with two indexes with time as parameter, but i am not getting the correct results. Without the join, it is working fine.
The date column is st_date and I have used this column in the token also, but I am still getting the wrong output. Please suggest if I missed anything.

My search:

index=a| JOIN type=inner aid[ SEARCH index=b] |table st_date,aid,location

My Xml:

test Clone

<input type="time" token="st_date" searchWhenChanged="true">
  <default>
    <earliest>0</earliest>
    <latest></latest>
  </default>
</input>


<panel>
  <table>
    <search>
      <query>index=a| JOIN type=inner aid[ SEARCH index=b] |table st_date,aid,LOCATION</query>
      <earliest>$st_date.earliest$</earliest>
      <latest>$st_date.latest$</latest>
    </search>
    <option name="wrap">undefined</option>
    <option name="rowNumbers">undefined</option>
    <option name="drilldown">row</option>
    <option name="dataOverlayMode">none</option>
    <option name="count">10</option>
  </table>
</panel>

Index a

sno st_date aid
1 01/01/2014 10
2 01/01/2015 5

Index a

sno aid LOCATION
1 10 us
2 5 UK

If i select date (startdate & enddate) as '01/01/2014 ' & '02/01/2014 '

Expected result
sno LOCATION aid

1 us 10

but i am getting result as

sno LOCATION aid

1 us 10
2 UK 5

Please suggest how to get the Expected result and how to use date parameter as the where condition in splunk search/dashboard with join.

somesoni2 · ‎04-14-2015

In index=a, does the _time value matches the st_time? (means if the timestamp recognition is configured to pickup the event time from the value of field st_time)

rkanumula · ‎04-14-2015

No, _time values is current-date means '2015-04-15 00:56:07'.let me know the configuration settings for to match _time with the st_date

gyslainlatsa · ‎04-14-2015

hi rkanumula,

remove the token st_date and try this, go in the dropdown time and select your time range.

<input type="time" searchWhenChanged="true">
    <default>Last 24 hours</default>
  </input>

  <panel>
    <table>
   <title>table using join between $earliest$ and $latest$</title>
      <search>
        <query>index=a| JOIN type=inner aid[ SEARCH index=b] |table aid,LOCATION</query>
      </search>
      <option name="wrap">undefined</option>
      <option name="rowNumbers">undefined</option>
      <option name="drilldown">row</option>
      <option name="dataOverlayMode">none</option>
      <option name="count">10</option>
    </table>
  </panel>

rkanumula · ‎04-14-2015

Hi,

stil i am getting the wrong results.i am using Date range in presets in time paramter.In that Date Range i am selecting the earliest and Latest dates then the results wil not be in the date range

gyslainlatsa · ‎04-14-2015

hi rkanumula,

st_date is it a field in the index of your data?

rkanumula · ‎04-14-2015

st_date as column in my index .it should check with the date which i got from time paramter

means

st_date>'start_date' and st_date< 'end_date'

How do I use a date field as a parameter to filter results for a dashboard search using join?

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update