Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to fetch the date passed in the input token to the search.

Real_captain
Path Finder
a week ago

Hi Team 

Can you please let me know why i am not able fetch the base_date in the dashoard using the below logic. 
Please help me to fix this issue.

Splunk query : 

<input type="time" token="time_token">
<label>TIME</label>
<default>
<earliest>-1d@d</earliest>
<latest>@d</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>


| inputlookup V19_Job_data.csv
| eval base_date = strftime(strptime("$time_token.earliest$", "%Y-%m-%dT%H:%M:%S"), "%Y-%m-%d")
| eval expected_epoch = strptime(base_date . " " . expected_time, "%Y-%m-%d %H:%M")
| eval deadline_epoch = strptime(base_date . " " . deadline_time, "%Y-%m-%d %H:%M")

| join type=left job_name run_id [
search
index = events_prod_cdp_penalty_esa source="SYSLOG" sourcetype=zOS-SYSLOG-Console system = EOCA host = ddebmfr.beprod01.eoc.net (( TERM(JobA) OR TERM(JobB) ) ) ("- ENDED" OR "- STARTED" OR "ENDED - ABEND")
| eval Function = case(like(TEXT, "%ENDED - ABEND%"), "ABEND" , like(TEXT, "%ENDED - TIME%"), "ENDED" , like(TEXT, "%STARTED - TIME%"), "STARTED")
| eval _time_epoch = _time
| eval run_id=case(
date_hour &lt; 14, "morning",
date_hour &gt;= 14, "evening"
)
| eval job_name=if(searchmatch("JobA"), "JobA", "JobB")
| stats latest(_time_epoch) as job_time by job_name, run_id
]
| eval buffer = 60
| eval status=case(
isnull(job_time), "Not Run",
job_time &gt; deadline_epoch, "Late",
job_time &gt;= expected_epoch AND job_time &lt;= deadline_epoch, "On Time",
job_time &lt; expected_epoch, "Early"
)
| convert ctime(job_time)
| table job_name, run_id, expected_time, expected_epoch , base_date, deadline_time, job_time, status</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>

Labels (1)
Labels
0 Karma
Reply

livehybrid
Super Champion
a week ago

This is actually similar to another question I responded to recently at https://community.splunk.com/t5/Dashboards-Visualizations/Dashboard-Studio-time-range-input/m-p/7457...

This is the snippet which calculated the time string from the time picker:

| makeresults 
| eval earliest=$global_time.earliest|s$, latest=$global_time.latest|s$
| eval earliest_epoch = IF(match(earliest,"[0-9]T[0-9]"),strptime(earliest, "%Y-%m-%dT%H:%M:%S.%3N%Z"),earliest), latest_epoch = IF(match(latest,"[0-9]T[0-9]"),strptime(latest, "%Y-%m-%dT%H:%M:%S.%3N%Z"),latest)

 

@livehybrid wrote:

Hi @abhishekP 

This is an interesting one. When selecting a relative time window the earliest/latest are values like "-1d@d" which are valid for the earliest/latest field in a search - however when you select specific dates/between dates etc then it returns the full date string such as "2025-05-07T18:47:22.565Z"

Such a value is not supported by the earliest/latest field in a Splunk search, to get around this I have put together a table off the side of the display with a search which converts dates into epoch where required. you can then use "$timetoken:result.earliest_epoch$" and "$timetoken:result.latest_epoch$" as tokens in your other searches like this:

livehybrid_0-1746644500278.png

 

Below is the full JSON of the dashboard so you can have a play around with it - hopefully this helps!

{
    "title": "testing",
    "description": "",
    "inputs": {
        "input_global_trp": {
            "options": {
                "defaultValue": "-24h@h,now",
                "token": "global_time"
            },
            "title": "Global Time Range",
            "type": "input.timerange"
        }
    },
    "defaults": {
        "dataSources": {
            "ds.search": {
                "options": {
                    "queryParameters": {
                        "earliest": "$global_time.earliest$",
                        "latest": "$global_time.latest$"
                    }
                }
            }
        }
    },
    "visualizations": {
        "viz_2FDRkepv": {
            "dataSources": {
                "primary": "ds_IPGx8Y5Y"
            },
            "options": {},
            "type": "splunk.events"
        },
        "viz_V1oldcrB": {
            "options": {
                "markdown": "earliest: $global_time.earliest$  \nlatest: $global_time.latest$  \nearliest_epoch: $timetoken:result.earliest_epoch$   \nlatest_epoch:$timetoken:result.latest_epoch$"
            },
            "type": "splunk.markdown"
        },
        "viz_bhZcZ5Cz": {
            "containerOptions": {},
            "context": {},
            "dataSources": {
                "primary": "ds_KXR2SF6V"
            },
            "options": {},
            "showLastUpdated": false,
            "showProgressBar": false,
            "type": "splunk.table"
        }
    },
    "dataSources": {
        "ds_IPGx8Y5Y": {
            "name": "timetoken",
            "options": {
                "enableSmartSources": true,
                "query": "| makeresults \n|  eval earliest=$global_time.earliest|s$, latest=$global_time.latest|s$\n| eval earliest_epoch = IF(match(earliest,\"[0-9]T[0-9]\"),strptime(earliest, \"%Y-%m-%dT%H:%M:%S.%3N%Z\"),earliest), latest_epoch = IF(match(latest,\"[0-9]T[0-9]\"),strptime(latest, \"%Y-%m-%dT%H:%M:%S.%3N%Z\"),latest)"
            },
            "type": "ds.search"
        },
        "ds_KXR2SF6V": {
            "name": "Search_1",
            "options": {
                "query": "index=_internal earliest=$timetoken:result.earliest_epoch$ latest=$timetoken:result.latest_epoch$\n|  stats count by host"
            },
            "type": "ds.search"
        }
    },
    "layout": {
        "globalInputs": [
            "input_global_trp"
        ],
        "layoutDefinitions": {
            "layout_1": {
                "options": {
                    "display": "auto",
                    "height": 960,
                    "width": 1440
                },
                "structure": [
                    {
                        "item": "viz_V1oldcrB",
                        "position": {
                            "h": 80,
                            "w": 310,
                            "x": 20,
                            "y": 20
                        },
                        "type": "block"
                    },
                    {
                        "item": "viz_2FDRkepv",
                        "position": {
                            "h": 260,
                            "w": 460,
                            "x": 1500,
                            "y": 20
                        },
                        "type": "block"
                    },
                    {
                        "item": "viz_bhZcZ5Cz",
                        "position": {
                            "h": 380,
                            "w": 1420,
                            "x": 10,
                            "y": 140
                        },
                        "type": "block"
                    }
                ],
                "type": "absolute"
            }
        },
        "tabs": {
            "items": [
                {
                    "label": "New tab",
                    "layoutId": "layout_1"
                }
            ]
        }
    }
}

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
a week ago

Hi @Real_captain ,

if you need to use timestamps in a lookup, you could use a time based lookup, or (better) store your data in a summary index that always has a timestamp, instead of managing filters and time formats.

Ciao.

Giuseppe

0 Karma
Reply

livehybrid
Super Champion
a week ago

Hi @Real_captain 

The issue is that the format of the $time_token.earliest$ value passed to strptime is not guaranteed to be %Y-%m-%dT%H:%M:%S. The time token earliest/latest values are typically epoch timestamps or relative time strings, not formatted date strings - e.g it might be 2025-06-05T07:45:00 but it could be "-d@d"

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...