Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

time field search in load job not working

surekhasplunk
Communicator
‎08-28-2020 09:02 PM

Hi,

I have a savedsearch which i am calling like below. 

| loadjob savedsearch="admin:Splunk_Security:chk_coding_pie_accl" |search Time="*2020-08-24*"

When i have to use Time tokens then its not workingchk_load.PNG

This loadjob query is my pie chart query for a panel where earlist time and latest time will be as per the choosen time from the time field. 

Now when i try to pass this like below i get no results although it has value for that Time. 

|loadjob savedsearch="admin:appname:savedsearch" |search earliest=$field1.earliest$ latest=$field1.latest$ | stats count by Manager

How to pass the time properly here ?

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-09-2020 01:56 AM

First, convert your Time field using below eval Time_epoch and then you need to pass your value in where in epoch time.

|makeresults | eval _raw="Time,user
2020-08-24 12:50:14,admin
2020-09-01 12:40:14,power"
| multikv forceheader=1
| table Time user 
| eval Time_epoch=strptime(Time,"%Y-%m-%d %H:%M:%S")
| where Time_epoch<=1598259014
————————————
If this helps, give a like below.
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-28-2020 11:05 PM

you should pass something like below:

| search earliest=“” latest=“”

the format of earliest and latest is 

%m/%d/%Y:%H:%M:%S

 

https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/SearchTimeModifiers

————————————
If this helps, give a like below.
0 Karma
Reply

surekhasplunk
Communicator
‎09-09-2020 01:38 AM

Hi @thambisetty 

I understand that i have to change the format but it doesn't work as expected. I added the where clause but looks like that doesn't work. 

| where Time=strptime("1599503400","%Y-%m-%d %H:%M:%S")

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...