I have a custom dropdown which defines report dates. For example, there is 9/1/2016 which is a September report spanning from 9/1-9/30.
If I wanted to search the internal index during this report range I thought I should try:
index=_internal earliest=strptime("9/1/2016","%m/%d/%Y")
However, I am given the error "Invalid value "strptime" for time term 'earliest'". Is there a way to pass a value to search earliest and latest without using the time picker?
I had to show events of only one day and I did it in this way:
I created a dropdown as this
<input type="dropdown" token="day" searchWhenChanged="true">
<label>Day</label>
<search>
<query>
mysearch
| dedup myDay
| sort -myDay
| eval TokenDay=strftime(strptime(myDay,"%d/%m/%Y"),"%m/%d/%Y")
| eval sortDay=strptime(myDay,"%d/%m/%Y")
| sort -sortDay
| table myDay tokenDay sortDay
</query>
</search>
<fieldForLabel>myDay</fieldForLabel>
<fieldForValue>tokenDay</fieldForValue>
</input>
and my search was
mysearch earliest="$day$:00:00:00" latest="$day$:23:59:59" | ...
Bye.
Giuseppe
There are couple options
1) Add an change/eval to your dropdown, like this
<input type=dropdown id=time token="t">
....
<change>
<eval token="e">strptime($value$, "%m/%d/%Y")</eval>
</change>
</input>
...
<chart>
<query> index=_internal earliest=$e$...</query>
OR
index=_internal earliest=[| makeresults | eval _time=strptime($tokenTime$, "%m/%d/%Y") | rename _time AS search] | ...