Getting Data In

Is there a way to add more than one time filter to splunk reports?

Explorer

Hello,

Can we add more than one time filter to splunk reports?

I am trying to do this for pivot reports?

Thanks in advance.

0 Karma

Path Finder

What is the end-goal for this?

With Pivot reports, you have the option of saving them with a time range picker, which should provide multiple time-filters for the report.

0 Karma

Explorer

i have a created pivot report.

It has multiple time fields including _time. So my time range picker is based on _time which is the index time.

So if i add other time fields as filters to the report, it is taking them as a string or number and not as a time field. Because of this i cannot able to do range with the time filters.

So my question is:

1) How can i assign any other time field to _time, so that i apply time filter based on the new time field, without re-indexing data, in pivot report.(In pivot, it is not easy to customize using query)

2) Or can i add more time filters like the default _time range picker, which should be taken as date/time data type and not as string/number. Means can we add more than one time fields? Because as per my knowledge, there will be only one date/time data type and all other fields will be string/number

0 Karma

Path Finder

I don't know of an easy way. Your best bet is to you strptime and/or strftime to create a calculated field based on the additional timestamps in the data, and create a dashboard where users can input their own timestamps (for earliest and latest) to compare to the fields you want to search on. It's not going to be easy to work out, but it should be possible using the simple-xml structure available in dashboards.

0 Karma