Using custom dropdown to define Time range

markdflip · ‎09-30-2016

I have a custom dropdown which defines report dates. For example, there is 9/1/2016 which is a September report spanning from 9/1-9/30.

If I wanted to search the internal index during this report range I thought I should try:

index=_internal earliest=strptime("9/1/2016","%m/%d/%Y")

However, I am given the error "Invalid value "strptime" for time term 'earliest'". Is there a way to pass a value to search earliest and latest without using the time picker?

gcusello · ‎10-01-2016

I had to show events of only one day and I did it in this way:

I created a dropdown as this

 <input type="dropdown" token="day" searchWhenChanged="true">
      <label>Day</label>
      <search>
        <query>
          mysearch 
         | dedup myDay 
         | sort -myDay 
         | eval TokenDay=strftime(strptime(myDay,"%d/%m/%Y"),"%m/%d/%Y") 
         | eval sortDay=strptime(myDay,"%d/%m/%Y") 
         | sort -sortDay 
         | table myDay tokenDay sortDay
        </query>
      </search>
      <fieldForLabel>myDay</fieldForLabel>
      <fieldForValue>tokenDay</fieldForValue>
    </input>

and my search was

mysearch earliest="$day$:00:00:00" latest="$day$:23:59:59" | ...

Bye.
Giuseppe

sundareshr · ‎09-30-2016

There are couple options

1) Add an change/eval to your dropdown, like this

<input type=dropdown id=time token="t">
....
<change>
<eval token="e">strptime($value$, "%m/%d/%Y")</eval>
</change>
</input>
...
<chart>
<query> index=_internal earliest=$e$...</query>

OR

index=_internal earliest=[| makeresults | eval _time=strptime($tokenTime$, "%m/%d/%Y") | rename _time AS search] | ...

Using custom dropdown to define Time range

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!