Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to set the Time Range Picker to apply to another Time Date field (not _time)?

jnuckolls0001
Loves-to-Learn
‎08-10-2022 10:59 PM

Hello!

New to splunk. Trying to make a dashboard to find Change tickets in our enviornment to help with outage diagnostics. Long story short, I'd like to have the Time Range Picker apply to fields that contain dates, but not the _time field. There are two fields specifically, Start Date and End Date, that I would like to work with.

 

I'd like the Time Range picker to apply to the dates in the Start Date and End Date fields instead of _time. Is there any way to do this for one if not both fields?

0 Karma
Reply

jnuckolls0001
Loves-to-Learn
‎08-11-2022 12:03 AM

would a variable or token be involved in the | where command? Unsure how the second time picker would only apply to a specific field  with the where command...sorry if obvious, total scrub.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-11-2022 12:14 AM

Yes and no

You could use another token or tokens for the where command or you could use the same one although I am not sure that would be particularly useful - it depends on your data

0 Karma
Reply

jnuckolls0001
Loves-to-Learn
‎08-11-2022 10:05 AM

Can you use the where command to replace the _time with the field I would like to work with? or would it just replace the name of the field and keep the same data? So something like:

| where _time = dv_end_date ?

I just tried it out and it didn't return any results so I'm most likely using it wrong or misunderstanding how to use | where in your context. 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-11-2022 11:31 AM

The where command takes logical expressions i.e. either true or false - strictly speaking it would be |where _time == dv_end_date but Splunk is quite forgiving in this regard.

Perhaps you could share what it is you have tried so we can see if we can work out why it didn't work.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-10-2022 11:09 PM

Yes and no

The initial search will retrieve events between an earliest time and a latest time. These times are chosen by the timepicker. They apply to the timestamp field of the events _time. So, whatever events you are interested in would have to fall between the earliest and latest times. (That's the no part)

However, you could then use a second timepicker to filter one or more of the fields using a where command. (That's the yes part)

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...