I have a KVS that contains a week_date in the form of a string m/d/Y
|inputlookup AAA__test_execution_count | eval _time=strptime(week_date,"%m/%d/%Y")
Now what I want to do is have an input time on a form and use the earliest and latest tokens generated to ensure that that the week dates fall in the time range of the selected time.
<input type="time" token="time_token" searchWhenChanged="true"> <label>Select Event Time Filter:</label> <default>Business week to date</default> </input>
to later be used in a form something like
| inputlookup AAA__test_execution_count |eval _time=strptime(week_date,"%m/%d/%Y") | <<<<<< to be in the range >>>>>> specified by the input file | stats count by week_date
driving range from the query $time_token.earliest$ and $time_token.earliest$
Now I have tried getting the _time as coded to then add in any tags but this does not work.
I am now trying to manually generate a from and to time to compare using the settings but I am getting very confused on the different possible flavors of relative and custom times that could come out of the time picker.
Not certain I understand your question, but I'll give you some pointers that may help you
First... to get earliest/latest for time selected the timepicker, try this
<input type="time" token="time_token" searchWhenChanged="true"> <label>Select Event Time Filter:</label> <default>Business week to date</default> <change> <eval token="e">if(isnum($time_token.earliest$, $time_token.earliest$, relative_time(now(), $time_token.earliest$)</eval> <eval token="l">if(isnum($time_token.latest$, $time_token.latest$, relative_time(now(), $time_token.latest$)</eval> </input>
To determine if week_date false between e & l, try this
base search | eval isBetween=if(week_date>=relative_time(e, "@d") AND week_date<=relative_time(l, "@d"), "Yes", "No")
That didn't quite work for me, but it was very close and got me to a working answer!
I haven't re-factored it back into the XML, but in the pure SPL I found this had to be undertaken:
| eval e=if(isnum("$time_token.earliest$"), "$time_token.earliest$", relative_time(now(), "$time_token.earliest$")) | eval l=if(isnum("$time_token.latest$"), "$time_token.latest$", relative_time(now(), "$time_token.latest$"))
I know this has been answered already but I came across this same problem and I wrote a bit more code to account for a few addition cases that you can come across with time picker values depending on if you use preset times, date before/after/between, advanced, etc.
So I think this should account for all the possible types of values that a time picker token can have.
I hope this helps someone else because it took me a couple hours of debugging and iterating to get this to work perfectly for me.
| eval e="$time_token.earliest$", l="$time_token.latest$" | eval e=case(match(e, "^\d+$"), e, e="" OR e="now", "0", true(), relative_time(now(), e)) | eval l=case(match(l, "^\d+$"), l, l="" OR l="now", "2145916800", true(), relative_time(now(), l)) | eval e=tonumber(e), l=tonumber(l) | where _time>='e' AND _time<='l'
I have been looking for this for a long time. Could not get it by myself. Big thank you for this awesome solution.