how to set date field as a token for earliest and ...

manjuase · ‎11-15-2019

Hi All,

I have a comma separated file like below

Name class "Report Date"
x 1 10/11/2019
Y 2 12/11/2019

while indexing in props.conf i mentioned
TIMESTAMP_FIELDS = "Report Date"
TIME_FORMAT = %d/%m/%Y

so in my index I am having the above two events like below

Time Event
10/11/19 x,1,10/11/2019
12:00:00.000 AM

12/11/19 y,2.12/11/2019
12:00:00.000 AM

i have a drop down which is having "Report Date" field values. when i choose 10/11/2019 other panels in my dashboard should show the events on the date 10/11/2019.

i tried to pass the values of the drop down as a token for earliest and latest in panels.. but it is showing invalid earliest time.

can anyone help me on this ?

gcusello · ‎11-15-2019

Hi @manjuase,
did you tried to extract a list of your "Report Date" in your dropdown list?
In other words, in the dropdown list insert a search like this:

index=my_index
| dedup "Report Date"
| table "Report Date"

If your "Report Date" isn't sorted you have to pass for epochtime, so to have a desc sorting:

index=my_index
| dedup "Report Date"
|eval epoch=strptime("Report Date","%m/%d/&Y")
| sort -epoch
| table "Report Date"

Ciao.
Giuseppe

how to set date field as a token for earliest and latest

Simplifying the Analyst Experience with Finding-based Detections

[Puzzles] Solve, Learn, Repeat: Word Search

[Puzzles] Solve, Learn, Repeat: Advent of Code - Day 4

Join the Conversation

how to set date field as a token for earliest and latest

Simplifying the Analyst Experience with Finding-based Detections

[Puzzles] Solve, Learn, Repeat: Word Search

[Puzzles] Solve, Learn, Repeat: Advent of Code - Day 4