Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

show last 7 days trend using date from data field.

koreamit3483
Explorer
‎12-20-2021 03:26 AM

I have data coming in which has field as "Log_date" in DD/MM/YYY format. i need to show last 7 days data from today in the dashboard.

I used below to filter last 7 days data, but its not showing as results.

where Log_date>=relative_time(Log_date, "-6d@d")

I need to use date only from the field "Log_date".

Can some one please guide.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-20-2021 03:56 AM

If you have date as string, you have to parse it first to use it in calculations and comparisons.

Use strptime.

<your search>
| eval Log_timestamp=strptime(Log_date,"%D/%M/%Y")
| where Log_timestamp>...

There are two caveats though

1) In order to find and filter the events splunk has to firstly extract the field from all events from your search range and parse them.

2) If your events have _time completely unrelated to this Log_time field, you have to search from a relatively larger time range.

If this is your primary timestamp in those events, consider reconfiguring sourcetype to parse it as _time.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...