I have one column in search name timerange which shows time at with that event happened. I want to plot the graph (timechart) but on the dashboard, I want to use time picker which queries the time from my timerange column.
So, When I wrote the Splunk search query to get the data from the indexes.
I get the following results
_time(time at which vales got index),Total,Stable,Time(time at which the event happened)
1. 2019-06-25 23:56 , 100,100,2019-06-05 05:07
2. 2019-06-25 23:56,500,500,2019-06-05 05:08
3. 2019-06-25 23:56,550,570,2019-06-05 05:09(for every minute)
_time column has the same values.
if I use the above search query to create a dashboard and in time picker if I select data between 2019-06-05 - 2019-06-06 there are not values to plot. But if I select data 2019-06-25 - 2019-06-26 it shows that event.
So basically I want to map my time picker to the time values at which event happened not the time at which values got indexed.
@himanshu_idt yes this was one of the options proposed in the answer link I had posted below. If that answer has helped do upvote for it to be helpful for others facing this issue.
Do also read the thread as All Time time picker selection needs additional attention 🙂
The right thing to do is to fix
_time. In other words, do your time-extraction correctly. It appears that you have a lazy Splunk admin and he used
DATETIME_CONFIG = CURRENT in
props.conf for your
sourcetype. Have him go back and do his job right.
@himanshu_idt right approach would be to fix the time while indexing data so that it pics time from
Time field in your data rather than setting it as indexed time (current time). Refer to Splunk docs for setting up props.conf for correct timestamp recognition: https://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition
However, there would be an alternate approach to set a token for filtering
Time values using string time based on timepicker selection using an independent search. Refer to one of my older answers as to how we can set string time token of specific format using this approach: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html
@himanshu_idt you would need to add more details for the community to assist you better. Do you Time displayed in table which you want to use for drilldown? Please add example of what you currently have and what is your use case.