We have Date1 mapped in the sourcetype for the index. So if I select last 7 days in the date filter data is filtered on date 1.
But for my project, I need to use Date2 as a date/duration filter in the dashboard. I cannot change the sourcetype only for my dashboards. Is there any way to make this changes in the settings or code?
Sample data Created_Date (Date1) First Name Last Name Task Execution_Date (Date2) 1/12/2017 ABCD XYZ Open Request 12/12/2017 6/12/2017 DDFFG SSV BBB Save the File 12/12/2017
Data has been indexed on Created_Date (Date1) whereas I want to use Execution_Date (Date2) as a date filter.
you can use
strptime() to use your
Execution_Date field as
_time. Here is just an example:
... | eval _time = strptime(Execution_Date, "%d/%m/%Y") | ...
Read more about
strptime here http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/DateandTimeFunctions#strptime.28X....
Hope this helps ...
eval works as expected, create a calculated field http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/definecalcfields out of it and it will work using the time range picker 😉
you need to describe your problem way more specific. Nobody will get what you are talking about or where you need help by reading what you did write up there.
Give us sample data if possible and please take your time to describe your problem properly, then we are glad to help you out. 🙂