- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to create a dashboard from a lookup file that has fields:
Ticket_ID
Open_Date
Close_Date
Description
I am having the hardest time trying to get the Time input field to reference the Open_Date so that it's easier to search for certain tickets between a certain date from a dashboard. I have tried eval _time=Open_Date but that didn't work for me. Any ideas?
Below is a sample of the fields:
Ticket_ID = 123
Open_Date = 9/4/2014 9:07:29 AM
Close_Date = 9/5/2014 9:07:29 AM
Description = This is an example.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The time selector criteria of a search will only run on the _time value of the raw events - which don't exist here since you have a lookup file.
Your options:
- If you want to filter on a field of those events, you would have to add in your own logic. Most do this by creating some static items in an input selector - the token of which is passed to the search as criteria against those lookup entries.
- Index the lookup file data (instead of using a lookup file) with one of the fields being processed as the _time value. Then you'll be able to do this using the raw events.
If still is no good, we can talk about the goal of the dashboard itself and make sure that we haven't overlooked a different solution all together.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The time selector criteria of a search will only run on the _time value of the raw events - which don't exist here since you have a lookup file.
Your options:
- If you want to filter on a field of those events, you would have to add in your own logic. Most do this by creating some static items in an input selector - the token of which is passed to the search as criteria against those lookup entries.
- Index the lookup file data (instead of using a lookup file) with one of the fields being processed as the _time value. Then you'll be able to do this using the raw events.
If still is no good, we can talk about the goal of the dashboard itself and make sure that we haven't overlooked a different solution all together.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this. This should give only the results where Open_Date values are between selected time range.
| inputlookup yourLookupTable.csv | eval _time=strptime(Open_Date,"%m/%d/%Y %H:%M:%S %p") | search _time>=[| gentimes start=-1 | eval search=info_min_time | table search] AND _time<[| gentimes start=-1 | eval search=info_max_time | table search]
OR
| inputlookup yourLookupTable.csv | eval filterdate=strftime(strptime(Open_Date,"%m/%d/%Y %H:%M:%S %p"),"%m/%d/%Y:%H:%M:%S") | search filter>=[| gentimes start=-1 | eval search=strftime(info_min_time,"%m/%d/%Y:%H:%M:%S") | table search] AND filter<[| gentimes start=-1 | eval search=strftime(info_max_time,"%m/%d/%Y:%H:%M:%S") | table search]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I understand how to find events between dates, but I am trying to see if its possible for me to use the Time input box on a dashboard for my lookup file even though I set my Open_Date field as _time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think _time needs to be in epoch form. Try eval _time=strptime(Open_Date,"%m/%d/%Y %H:%M:%S %p").
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, I have already tried that and it didn't work.
