Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

adjust earliest / latest values at search time

JWBailey
Communicator
‎10-10-2013 06:21 PM

I have a form that allows the user to input a text token. The idea is the user will input date and time information. I then would like to have a search on the form run starting 10 minutes before the value entered, and ending 10 min after.

I would like the user to be able to enter the value in a readable format, %m/%d/%y %T for example. I assume I will then have to convert it to epoc format so I can add / subtract 600 seconds. I can do this using … | convert mktime($user__input$) AS epoc_time | eval Start=epoc_time-600 | eval End=epoc+600

How can I now use these values to control the earliest and latest variables for the search?

Is there an easier way to do this all together?

I know I could just have the user perform the calculations and input the adjusted values into different tokens, but I would like to avoid that.

0 Karma
Reply

lguinn2
Legend
‎10-10-2013 11:45 PM

You could do it like this

… | convert mktime($user__input$) AS epoc_time 
| eval Start=epoc_time-600 
| eval End=epoc+600
| where _time >= Start AND _time <=End

However, this means that the initial search would run over all time, which is probably not what you want.
In a simple XML form, you can include the Time Range Picker, which I think will work much better for what you want...

<fieldset>
  <input type="time">
  </input>
</fieldset>
0 Karma
Reply

JWBailey
Communicator
‎10-11-2013 06:23 AM

Thanks for the response, but I already have the time picker added to provide other functionality on the form.

The scope of the form is to look for events over a specific time, and then I was hoping to have a panel on the form that shows other events right before and right after the identified window..

For example, a list of people who logged on right before the start time, and people that logged off right after the end time.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...