Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Query for multi time fields

thomas6m
New Member
‎04-24-2020 08:44 AM

Hi Team,

We have three time fields

  1. Time - Indexed time( CSV file uploaded time)
  2. Last_uploaded - Microservices latest deployed time
  3. Running_since - Microservices start time

All time fields are in "%+" (Fri Apr 24 05:00:20 +08 2020) format and are in the same timezone

Below fields are getting pushed to splunk through csv file

Time,Org,Space,Microservices,State,Stack,Buildpacks,Last_uploaded,Total_instance,Running_instance,Instance_state,Running_since,Used_CPU,Used_memory_bytes,Total_memory_bytes,Used_disk_bytes,Total_disk_bytes

Please help in how to create input panel for Last_uploaded, Running_since & what would be the query for the below requirement

  1. How to query all microservices deployed between particular dates example ( 14th April to 16th April )
  2. How many microservices were started between particular days example ( 17th April to 20th April )

Tired few options but no luck luck

| eval _time=strptime(Time,"%+") | eval Latest_deployment_time=strptime(Last_uploaded,"%+") | eval Instance_start_time=strptime(Running_since,"%+")

Regards,
Thomas Mathias

0 Karma
Reply

DalJeanis
Legend
‎04-28-2020 11:03 AM

Basically, you need to turn those nasty time formats into internal formats, which if I've decoded this correctly will look like this: 

| eval time_Uploaded = strptime(Last_uploaded,"%a %b %d %H:%M:%S %:::z %Y")

then compare to your datestamps, which you will have calculated in your dash but I'll put in hard code here.

| where time_Uploaded >= strptime("2020-04-14","%Y-%m-%d") 
    AND   time_Uploaded < strptime("2020-04-17","%Y-%m-%d")

Since these aren't the event _time or _indextime, which splunk can search on using its special time references, it may be easier, dash-wise, to have a time picker kick off a null search that returns the start and end times you want in tokens, so you don't have to deal with "now" or "-1d" or any other funky time formats.

0 Karma
Reply

to4kawa
Ultra Champion
‎04-24-2020 04:09 PM
  1. use stats count with time picker
  2. use timechart with rename Running_since as _time
0 Karma
Reply

thomas6m
New Member
‎04-24-2020 04:25 PM

Thanks for your response. I am trying with single static table panel. Based on input panel selection, it should display the result. I will have the below input panels and they are interconnected. Based on user selection, it will display the result

Time,Org,Space,Microservices,State,Buildpacks,Last_uploaded,Total_instance,Running_instance,Instance_state,Running_since

0 Karma
Reply

to4kawa
Ultra Champion
‎04-24-2020 05:24 PM

What's your query?
I can't make query with no log.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...