Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

time field search in load job not working

surekhasplunk
Communicator
‎08-28-2020 09:02 PM

Hi,

I have a savedsearch which i am calling like below. 

| loadjob savedsearch="admin:Splunk_Security:chk_coding_pie_accl" |search Time="*2020-08-24*"

When i have to use Time tokens then its not workingchk_load.PNG

This loadjob query is my pie chart query for a panel where earlist time and latest time will be as per the choosen time from the time field. 

Now when i try to pass this like below i get no results although it has value for that Time. 

|loadjob savedsearch="admin:appname:savedsearch" |search earliest=$field1.earliest$ latest=$field1.latest$ | stats count by Manager

How to pass the time properly here ?

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-09-2020 01:56 AM

First, convert your Time field using below eval Time_epoch and then you need to pass your value in where in epoch time.

|makeresults | eval _raw="Time,user
2020-08-24 12:50:14,admin
2020-09-01 12:40:14,power"
| multikv forceheader=1
| table Time user 
| eval Time_epoch=strptime(Time,"%Y-%m-%d %H:%M:%S")
| where Time_epoch<=1598259014
————————————
If this helps, give a like below.
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-28-2020 11:05 PM

you should pass something like below:

| search earliest=“” latest=“”

the format of earliest and latest is 

%m/%d/%Y:%H:%M:%S

 

https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/SearchTimeModifiers

————————————
If this helps, give a like below.
0 Karma
Reply

surekhasplunk
Communicator
‎09-09-2020 01:38 AM

Hi @thambisetty 

I understand that i have to change the format but it doesn't work as expected. I added the where clause but looks like that doesn't work. 

| where Time=strptime("1599503400","%Y-%m-%d %H:%M:%S")

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...