I have events like this
Here Start field has the value 1271646762 and End field has the value 1273602865
How do I make the custom field automatically change based on the earliest epoch time on Start field and latest epoch time on End field ?
These events are coming from a CSV file which gets updated by cronjob.
So when I search for the report with index="hobbit" I like the timerange to automatically change based on the only CSV file it indexes.
I like the timerange to show something like this
Are you asking for a way users can interact with those events that would be like: 'search for events between this start and endtime'?
If so then you can use a workflow action.
In brief, you can configure a workflow action, such that when the 'Start' field and the 'End' field are both present in any event, the user is given an option in the event menu that can be a URL (ie to flashtimeline), and in that URL you can use the Start and End field values to preset the earliest= and latest= arguments in the flashtimeline URL. Setting those arguments will correctly prepopulate the TimeRangePicker.
And the URI part of your workflow action would look like this:
I really don't understand your question....
Are you trying to use the CSV events to determine the timerange of search in splunk? That seems like an odd thing to do, but it's somewhat possible using the
map search command.
You could try a search like:
index=hobbit | map search="search index=hobbit starttimeu::$Start$ endtimeu::$End$"
This isn't going to reset the timerange picker in the upper right hand of the screen, if that's what you are trying to do.
If you are simply trying to see
End in a human readable format, you can do that quite easily with:
index=hobbit | convert timeformat="%Y%m%d %H:%M:%S" ctime(Start), ctime(End)
If you clarify your question, I or someone else may be able to give you a better suggestion.