Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Time format

Vigneshprasanna
Explorer
‎06-12-2018 11:01 AM

Hi Mates,

i get output of a query as below, i would like to pass the output of this query to the of my code but the is not supporting the time format generated by the query so please help in changing the time format

output = AUDIT_TIME="2018-06-05 21:00:02"

Query :

index="jboss" AUDIT_DATA="XXXXX" AND AUDIT_DATA=""XXXX8"" AUDIT_TIME>="2018-06-05 21:00:00" | table AUDIT_TIME | sort AUDIT_TIME | uniq | sort 2 AUDIT_TIME | reverse | return AUDIT_TIME

i wanna pass this output value AUDIT_TIME in

alt text

Preview file
143 KB
0 Karma
Reply

Vigneshprasanna
Explorer
‎06-13-2018 02:44 AM

Hi @PowerPacked and @sukisen1981

I'm going wrong somewhere 😞 can you please check and correct me i have modified the query and tried for my case but its not working 😞

this is my sample data
2018-05-14 14:25:00,108 INFO com.xxxxxxx.browser.servlets.BrowserServlet 123-132-0-23-0

2018-05-14 14:25:00 -> i wanna pass this part as the input for the tag $earliest$

alt text

   <earliest>$earliest$</earliest>
0 Karma
Reply

PowerPacked
Builder
‎06-12-2018 01:10 PM

Hi @Vigneshprasanna

use this query to extract the time from result.

index="jboss" AUDIT_DATA="XXXXX" AND AUDIT_DATA=""XXXX8"" AUDIT_TIME>="2018-06-05 21:00:00" | table AUDIT_TIME | sort AUDIT_TIME | uniq | sort 2 AUDIT_TIME | reverse | return AUDIT_TIME | rex "AUDIT_TIME=\"(?P<time>.*)\"" | fields time

Thanks

0 Karma
Reply

Sukisen1981
Champion
‎06-12-2018 11:44 AM

pass audit time in where? do you mean you want to extract / sort by audit time?

0 Karma
Reply

Vigneshprasanna
Explorer
‎06-12-2018 06:00 PM

Hi @sukisen1981

i wanna pass the AUDIT_TIME in

Jboss Drilldown

<panel>
  <table>
    <title>Dynamic drilldown Jboss Request/Response</title>
    <search>
      <query>  **Query that will return AUDIT_TIME** </query>
      **<earliest>$earliest$</earliest>**   - **should pass the audit time here** 
      <latest>$latest$</latest>
      </search>
       </table>
</panel>

This is jest an example snippit may have some more errors too hope this helps us to understand where we have to pass the AUDIT_TIME..

Thanks for the support in advance.

Regards,
Vigneshprasanna R

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...