Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to input time using earliest and latest tokens on a string date?

timcolpo
Explorer
‎09-23-2016 02:56 PM

I have a KVS that contains a week_date in the form of a string m/d/Y

|inputlookup AAA__test_execution_count | eval _time=strptime(week_date,"%m/%d/%Y")

Now what I want to do is have an input time on a form and use the earliest and latest tokens generated to ensure that that the week dates fall in the time range of the selected time.

        <input type="time" token="time_token" searchWhenChanged="true">
            <label>Select Event Time Filter:</label>
           <default>Business week to date</default>
        </input>

to later be used in a form something like

| inputlookup AAA__test_execution_count 
|eval _time=strptime(week_date,"%m/%d/%Y") 
|  <<<<<< to be in the range >>>>>> specified by the input file
| stats count by week_date

driving range from the query $time_token.earliest$ and $time_token.earliest$

Now I have tried getting the _time as coded to then add in any tags but this does not work.

I am now trying to manually generate a from and to time to compare using the settings but I am getting very confused on the different possible flavors of relative and custom times that could come out of the time picker.

Labels (2)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-24-2016 01:49 PM

Not certain I understand your question, but I'll give you some pointers that may help you

First... to get earliest/latest for time selected the timepicker, try this

<input type="time" token="time_token" searchWhenChanged="true">
   <label>Select Event Time Filter:</label>
   <default>Business week to date</default>
   <change>
    <eval token="e">if(isnum($time_token.earliest$, $time_token.earliest$, relative_time(now(), $time_token.earliest$)</eval>
    <eval token="l">if(isnum($time_token.latest$, $time_token.latest$,  relative_time(now(), $time_token.latest$)</eval>
</input>

To determine if week_date false between e & l, try this

base search | eval isBetween=if(week_date>=relative_time(e, "@d") AND week_date<=relative_time(l, "@d"), "Yes", "No")

View solution in original post

Reply
Solved! Jump to solution

drewg33
Engager
‎05-07-2019 09:33 AM

I know this has been answered already but I came across this same problem and I wrote a bit more code to account for a few addition cases that you can come across with time picker values depending on if you use preset times, date before/after/between, advanced, etc.
So I think this should account for all the possible types of values that a time picker token can have.
I hope this helps someone else because it took me a couple hours of debugging and iterating to get this to work perfectly for me. 

| eval e="$time_token.earliest$", l="$time_token.latest$"
| eval e=case(match(e, "^\d+$"), e, 
                    e="" OR e="now", "0", 
                    true(), relative_time(now(), e))
| eval l=case(match(l, "^\d+$"), l, 
                    l="" OR l="now", "2145916800", 
                    true(), relative_time(now(), l))
| eval e=tonumber(e), l=tonumber(l)
| where _time>='e' AND _time<='l'
Reply
Solved! Jump to solution

kartina
Engager
‎05-29-2020 03:47 AM

Thank you, @drewg33!
It was so helpful to me!

0 Karma
Reply
Solved! Jump to solution

noukash
Explorer
‎09-03-2019 12:49 AM

I have been looking for this for a long time. Could not get it by myself. Big thank you for this awesome solution.

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-24-2016 01:49 PM

Not certain I understand your question, but I'll give you some pointers that may help you

First... to get earliest/latest for time selected the timepicker, try this

<input type="time" token="time_token" searchWhenChanged="true">
   <label>Select Event Time Filter:</label>
   <default>Business week to date</default>
   <change>
    <eval token="e">if(isnum($time_token.earliest$, $time_token.earliest$, relative_time(now(), $time_token.earliest$)</eval>
    <eval token="l">if(isnum($time_token.latest$, $time_token.latest$,  relative_time(now(), $time_token.latest$)</eval>
</input>

To determine if week_date false between e & l, try this

base search | eval isBetween=if(week_date>=relative_time(e, "@d") AND week_date<=relative_time(l, "@d"), "Yes", "No")
Reply
Solved! Jump to solution

Xisor
Explorer
‎10-10-2016 04:06 AM

That didn't quite work for me, but it was very close and got me to a working answer!

I haven't re-factored it back into the XML, but in the pure SPL I found this had to be undertaken:

| eval e=if(isnum("$time_token.earliest$"), "$time_token.earliest$", relative_time(now(), "$time_token.earliest$"))
| eval l=if(isnum("$time_token.latest$"), "$time_token.latest$",  relative_time(now(), "$time_token.latest$"))
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...