Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use time token in dbxquery?

Julia1231
Communicator
‎09-15-2022 12:51 AM

Hi everyone,

I am doing a dashboard in which I'm getting date from Postgresql using dbxquery.

Currently I'm filtering date range by putting it in WHERE of SQL query inside the dbxquery.

However I want to let users choose date range by themselve, for example by creating 2 input boxes in the dashboard and let them enter the time start and end that they want, the data then will be updated corresponding. 

The datetime format that I'm getting from postgresql is yyyy-mm-dd HH:MM:SS

I created an input with a token, but I don't know how to use that token inside my query.

How can I do it please? Or if you have any suggestion for this case, feel free to tell me.

 

Thanks,

Julia

Labels (3)
Tags (1)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-15-2022 01:00 AM

To get the correctly formatted date into a token that you can use in you SQL you need to add the following global search to your dashboard

<search>
  <query>
| makeresults
| addinfo
| eval StartDate = strftime(info_min_time, "%F %T")
| eval EndDate = strftime(info_max_time, "%F %T")
  </query>
  <earliest>$time_picker.earliest$</earliest>
  <latest>$time_picker.latest$</latest>
  <done>
    <set token="start">$result.StartDate$</set>
    <set token="end">$result.EndDate$</set>
  </done>
</search>

Then in your SQL you can use the tokens $start$ and $end$ to denote the start/end time for the SQL search.

Note that the above assumes you name the time picker token as "time_picker"

 

0 Karma
Reply

Julia1231
Communicator
‎09-15-2022 01:10 AM

Hi @bowesmana ,

I'm using dbxquery, something like this: | dbxquery connection="database" query="SELECT created_date, machine_id
FROM table"

when I use |makeresults inside the query, Splunk tells that 

Error in 'dbxquery' command: This command must be the first command of a search.

or

Error in 'makeresults' command: This command must be the first command of a search.

What can I do?

Tags (1)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-15-2022 01:22 AM

The search fragment is a separate search inside your dashboard - put it after the <form> element.

However, you format your SQL query to use start and end dates, just use $start$ and $end$ to represent the start and end dates in your dbxquery, e.g.

| dbxquery connection="database" query="SELECT created_date, machine_id..

WHERE created_date>$start$ AND created_date<$end$

 NB: I don't know the SQL syntax, so you will have to manage that.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...