time field search in load job not working

surekhasplunk · ‎08-28-2020

Hi,

I have a savedsearch which i am calling like below.

| loadjob savedsearch="admin:Splunk_Security:chk_coding_pie_accl" |search Time="*2020-08-24*"

When i have to use Time tokens then its not working

This loadjob query is my pie chart query for a panel where earlist time and latest time will be as per the choosen time from the time field.

Now when i try to pass this like below i get no results although it has value for that Time.

|loadjob savedsearch="admin:appname:savedsearch" |search earliest=$field1.earliest$ latest=$field1.latest$ | stats count by Manager

How to pass the time properly here ?

thambisetty · ‎09-09-2020

First, convert your Time field using below eval Time_epoch and then you need to pass your value in where in epoch time.

|makeresults | eval _raw="Time,user
2020-08-24 12:50:14,admin
2020-09-01 12:40:14,power"
| multikv forceheader=1
| table Time user 
| eval Time_epoch=strptime(Time,"%Y-%m-%d %H:%M:%S")
| where Time_epoch<=1598259014

————————————
If this helps, give a like below.

thambisetty · ‎08-28-2020

you should pass something like below:

| search earliest=“” latest=“”

the format of earliest and latest is

%m/%d/%Y:%H:%M:%S

https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/SearchTimeModifiers

————————————
If this helps, give a like below.

surekhasplunk · ‎09-09-2020

Hi @thambisetty

I understand that i have to change the format but it doesn't work as expected. I added the where clause but looks like that doesn't work.

| where Time=strptime("1599503400","%Y-%m-%d %H:%M:%S")

time field search in load job not working

time

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!