Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a dashboard from a lookup file that references a Time input field?

jnguyen413
New Member
‎09-13-2016 07:47 AM

I am trying to create a dashboard from a lookup file that has fields:

Ticket_ID
Open_Date

Close_Date
Description

I am having the hardest time trying to get the Time input field to reference the Open_Date so that it's easier to search for certain tickets between a certain date from a dashboard. I have tried eval _time=Open_Date but that didn't work for me. Any ideas?

Below is a sample of the fields:
Ticket_ID = 123
Open_Date = 9/4/2014 9:07:29 AM
Close_Date = 9/5/2014 9:07:29 AM
Description = This is an example.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sloshburch
Ultra Champion
‎09-14-2016 05:27 AM

The time selector criteria of a search will only run on the _time value of the raw events - which don't exist here since you have a lookup file.

Your options:

  • If you want to filter on a field of those events, you would have to add in your own logic. Most do this by creating some static items in an input selector - the token of which is passed to the search as criteria against those lookup entries.
  • Index the lookup file data (instead of using a lookup file) with one of the fields being processed as the _time value. Then you'll be able to do this using the raw events.

If still is no good, we can talk about the goal of the dashboard itself and make sure that we haven't overlooked a different solution all together.

View solution in original post

Reply
Solved! Jump to solution
Solution

sloshburch
Ultra Champion
‎09-14-2016 05:27 AM

The time selector criteria of a search will only run on the _time value of the raw events - which don't exist here since you have a lookup file.

Your options:

  • If you want to filter on a field of those events, you would have to add in your own logic. Most do this by creating some static items in an input selector - the token of which is passed to the search as criteria against those lookup entries.
  • Index the lookup file data (instead of using a lookup file) with one of the fields being processed as the _time value. Then you'll be able to do this using the raw events.

If still is no good, we can talk about the goal of the dashboard itself and make sure that we haven't overlooked a different solution all together.

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-13-2016 09:42 AM

Try something like this. This should give only the results where Open_Date values are between selected time range.

| inputlookup yourLookupTable.csv | eval _time=strptime(Open_Date,"%m/%d/%Y %H:%M:%S %p") | search _time>=[| gentimes start=-1 | eval search=info_min_time | table search] AND _time<[| gentimes start=-1 | eval search=info_max_time | table search]

OR 

| inputlookup yourLookupTable.csv | eval filterdate=strftime(strptime(Open_Date,"%m/%d/%Y %H:%M:%S %p"),"%m/%d/%Y:%H:%M:%S") | search filter>=[| gentimes start=-1 | eval search=strftime(info_min_time,"%m/%d/%Y:%H:%M:%S") | table search] AND filter<[| gentimes start=-1 | eval search=strftime(info_max_time,"%m/%d/%Y:%H:%M:%S") | table search]
0 Karma
Reply
Solved! Jump to solution

jnguyen413
New Member
‎09-14-2016 04:27 AM

I understand how to find events between dates, but I am trying to see if its possible for me to use the Time input box on a dashboard for my lookup file even though I set my Open_Date field as _time.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-13-2016 09:12 AM

I think _time needs to be in epoch form. Try eval _time=strptime(Open_Date,"%m/%d/%Y %H:%M:%S %p").

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jnguyen413
New Member
‎09-14-2016 04:26 AM

Unfortunately, I have already tried that and it didn't work.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...