Getting Data In

Is there a way to add more than one time filter to splunk reports?

chinmayc469
Explorer

Hello,

Can we add more than one time filter to splunk reports?

I am trying to do this for pivot reports?

Thanks in advance.

0 Karma

brian_rampley
Path Finder

What is the end-goal for this?

With Pivot reports, you have the option of saving them with a time range picker, which should provide multiple time-filters for the report.

0 Karma

chinmayc469
Explorer

i have a created pivot report.

It has multiple time fields including _time. So my time range picker is based on _time which is the index time.

So if i add other time fields as filters to the report, it is taking them as a string or number and not as a time field. Because of this i cannot able to do range with the time filters.

So my question is:

1) How can i assign any other time field to _time, so that i apply time filter based on the new time field, without re-indexing data, in pivot report.(In pivot, it is not easy to customize using query)

2) Or can i add more time filters like the default _time range picker, which should be taken as date/time data type and not as string/number. Means can we add more than one time fields? Because as per my knowledge, there will be only one date/time data type and all other fields will be string/number

0 Karma

brian_rampley
Path Finder

I don't know of an easy way. Your best bet is to you strptime and/or strftime to create a calculated field based on the additional timestamps in the data, and create a dashboard where users can input their own timestamps (for earliest and latest) to compare to the fields you want to search on. It's not going to be easy to work out, but it should be possible using the simple-xml structure available in dashboards.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...