Dashboards & Visualizations
Highlighted

Is it possible to store $job.earliestTime$ and $job.latestTime$ values in two variables?

Legend

Hi to all,

Does anyone know if it is possible to store $job.earliestTime$ and $job.latestTime$ in two variables?
I have to match these values with a lookup containing a list of dates in a search.

Thank you.
Bye.
Giuseppe

Highlighted

Re: Is it possible to store $job.earliestTime$ and $job.latestTime$ values in two variables?

Esteemed Legend

Just use eval to make a copy like this:

... | eval jobEarliestTime = $job.earliestTime$ | eval jobLatestTime = $job.latestTime$ ...
Highlighted

Re: Is it possible to store $job.earliestTime$ and $job.latestTime$ values in two variables?

Path Finder

Hello @woodcock, you are a wonderful Splunker. I wanna thank you for all efforts you are providing here.

Regarding the $job.latestTime$ token , in case if you are choosing the preset time "All Time" from the Time Picker, the value is of the token will be null or "NaN".

So how to add a condition using eval if to force it to be eqal to now() in such case?

0 Karma
Highlighted

Re: Is it possible to store $job.earliestTime$ and $job.latestTime$ values in two variables?

Ultra Champion

Time ranges(Settings » User interface » Time ranges):

Name    Label   Order   Earliest time   Latest time Owner
all_time    All time    500 0           No owner
0 Karma
Highlighted

Re: Is it possible to store $job.earliestTime$ and $job.latestTime$ values in two variables?

Path Finder

Thanks , I changed the Latest Time to "now" and it's working.

0 Karma
Highlighted

Re: Is it possible to store $job.earliestTime$ and $job.latestTime$ values in two variables?

Legend

No this solution doesn't work.
I solved storing my date list in an index instead of a lookup: in this way each item has an own timestamp and I can use them.

View solution in original post

Highlighted

Re: Is it possible to store $job.earliestTime$ and $job.latestTime$ values in two variables?

Splunk Employee
Splunk Employee

Not sure if this matches to you use case here, but Splunk 6.3 introduces search event handlers to access job metadata that might get you close to what you are looking for.

From a search and simple xml standpoint, it looks like this:

<search>
   <query>index=foo bar</query>
   <earliest>-60m@m</earliest>
   <latest>now</latest>

    <progress>
        <set token="myEarliest">$job.earliestTyime$</set>
        <set token="myLatest">$job.latestTyime$</set>
    </progress>
<search>

The above simple xml snippet grabs the job earliestTime/latestTime, and sets tokens based on them, making these tokens available throughout the page.

Highlighted

Re: Is it possible to store $job.earliestTime$ and $job.latestTime$ values in two variables?

Contributor

Hi,

And how is it possible to change the format of these two variables:
let's suppose $job.earliestime$ shows 2015-11-03T00:00:00.000+01:00

What if I needed to see only the date and no time zone (not the part T00:00:00.000+01:00)?
Is it possible?

Thanks,
Skender

0 Karma
Highlighted

Re: Is it possible to store $job.earliestTime$ and $job.latestTime$ values in two variables?

Hi,

I was wondering if you had any response regarding how to change the format of those 2 variables: $job.earliestime$$joblatestime$

Thanks!

0 Karma