Hi,
I try to use a token from a drilldown in a previous view in my app. The token contain a date in this format: "%Y-%m-%d %H:%M:%S.%6Q" (possible to update the format but I need to show microseconds).
I used this code to change the format according to earliest and latest :
<input type="text" token="earliest">
<label>earliest</label>
<change>
<eval token="earliest_clean">strftime(strptime($value$,"%Y-%m-%d %H:%M:%S.%6Q"),"%m-%d-%y %H:%M:%S.%6Q")</eval>
</change>
</input>
<input type="text" token="latest">
<label>latest</label>
<change>
<eval token="latest_clean">strftime(strptime($value$,"%Y-%m-%d %H:%M:%S.%6Q"),"%m-%d-%y %H:%M:%S.%6Q")</eval>
</change>
</input>
I tried to use %3Q %Q %6N %3N, nothing works. The best result is using %3N, the function works but the result is wrong (milliseconds are missing after conversion):
2020-04-12 21:34:41.268 => 2020-04-12 21:34:41.000
Any idea to solve this issue ?
After solving this issue, I will need to solve another problem: Splunk is unable to search on same date/time. How to limit my search to a single microsecond ? If there is no other option, how can I add one microsecond to latest ?
Have you tried using directly epoch format in your form? To strptime/strftime may truncate your timestamp.
Then you can add a microsecond to it simply with a sum ($value$+0.001) and it should work.
To directly use epoch, you must do a |eval var=_time
and use var. Because the _time field is modified to be readable when the field is printed on screen
Splunk event timestamps have 1-second resolution. One cannot search time periods smaller than a second.
After some tests, I am able to search by milliseconds intervals
Please share how you did that.
I used two tokens with this format for earliest and latest: 2020-04-12T21:34:41.611+00:00
<search>
<query>index=$index$</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
why don't you use epoch with token, and change to string in query?
I tried with epoch (sending _time from the table in the previous view) but I am unable to add one more milliseconds to latest.
<input type="text" token="earliest">
<label>earliest</label>
</input>
<input type="text" token="latest">
<label>latest</label>
<change>
<eval token="latest">$value$</eval> <= don't know how to add one more millisecond here
</change>
</input>
The query result with
Invalid latest_time: latest_time must
be after earliest_time
.