Dashboards & Visualizations

adjust earliest / latest values at search time

JWBailey
Communicator

I have a form that allows the user to input a text token. The idea is the user will input date and time information. I then would like to have a search on the form run starting 10 minutes before the value entered, and ending 10 min after.

I would like the user to be able to enter the value in a readable format, %m/%d/%y %T for example. I assume I will then have to convert it to epoc format so I can add / subtract 600 seconds. I can do this using … | convert mktime($user__input$) AS epoc_time | eval Start=epoc_time-600 | eval End=epoc+600

How can I now use these values to control the earliest and latest variables for the search?

Is there an easier way to do this all together?

I know I could just have the user perform the calculations and input the adjusted values into different tokens, but I would like to avoid that.

0 Karma

lguinn2
Legend

You could do it like this

… | convert mktime($user__input$) AS epoc_time 
| eval Start=epoc_time-600 
| eval End=epoc+600
| where _time >= Start AND _time <=End

However, this means that the initial search would run over all time, which is probably not what you want.
In a simple XML form, you can include the Time Range Picker, which I think will work much better for what you want...

<fieldset>
  <input type="time">
  </input>
</fieldset>
0 Karma

JWBailey
Communicator

Thanks for the response, but I already have the time picker added to provide other functionality on the form.

The scope of the form is to look for events over a specific time, and then I was hoping to have a panel on the form that shows other events right before and right after the identified window..

For example, a list of people who logged on right before the start time, and people that logged off right after the end time.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...