Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to fetch the date passed in the input token to the search.

Real_captain
Path Finder
‎06-05-2025 01:57 AM

Hi Team 

Can you please let me know why i am not able fetch the base_date in the dashoard using the below logic. 
Please help me to fix this issue.

Splunk query : 

<input type="time" token="time_token">
<label>TIME</label>
<default>
<earliest>-1d@d</earliest>
<latest>@d</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>


| inputlookup V19_Job_data.csv
| eval base_date = strftime(strptime("$time_token.earliest$", "%Y-%m-%dT%H:%M:%S"), "%Y-%m-%d")
| eval expected_epoch = strptime(base_date . " " . expected_time, "%Y-%m-%d %H:%M")
| eval deadline_epoch = strptime(base_date . " " . deadline_time, "%Y-%m-%d %H:%M")

| join type=left job_name run_id [
search
index = events_prod_cdp_penalty_esa source="SYSLOG" sourcetype=zOS-SYSLOG-Console system = EOCA host = ddebmfr.beprod01.eoc.net (( TERM(JobA) OR TERM(JobB) ) ) ("- ENDED" OR "- STARTED" OR "ENDED - ABEND")
| eval Function = case(like(TEXT, "%ENDED - ABEND%"), "ABEND" , like(TEXT, "%ENDED - TIME%"), "ENDED" , like(TEXT, "%STARTED - TIME%"), "STARTED")
| eval _time_epoch = _time
| eval run_id=case(
date_hour &lt; 14, "morning",
date_hour &gt;= 14, "evening"
)
| eval job_name=if(searchmatch("JobA"), "JobA", "JobB")
| stats latest(_time_epoch) as job_time by job_name, run_id
]
| eval buffer = 60
| eval status=case(
isnull(job_time), "Not Run",
job_time &gt; deadline_epoch, "Late",
job_time &gt;= expected_epoch AND job_time &lt;= deadline_epoch, "On Time",
job_time &lt; expected_epoch, "Early"
)
| convert ctime(job_time)
| table job_name, run_id, expected_time, expected_epoch , base_date, deadline_time, job_time, status</query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎06-05-2025 02:24 AM

This is actually similar to another question I responded to recently at https://community.splunk.com/t5/Dashboards-Visualizations/Dashboard-Studio-time-range-input/m-p/7457...

This is the snippet which calculated the time string from the time picker:

| makeresults 
| eval earliest=$global_time.earliest|s$, latest=$global_time.latest|s$
| eval earliest_epoch = IF(match(earliest,"[0-9]T[0-9]"),strptime(earliest, "%Y-%m-%dT%H:%M:%S.%3N%Z"),earliest), latest_epoch = IF(match(latest,"[0-9]T[0-9]"),strptime(latest, "%Y-%m-%dT%H:%M:%S.%3N%Z"),latest)

 

@livehybrid wrote:

Hi @abhishekP 

This is an interesting one. When selecting a relative time window the earliest/latest are values like "-1d@d" which are valid for the earliest/latest field in a search - however when you select specific dates/between dates etc then it returns the full date string such as "2025-05-07T18:47:22.565Z"

Such a value is not supported by the earliest/latest field in a Splunk search, to get around this I have put together a table off the side of the display with a search which converts dates into epoch where required. you can then use "$timetoken:result.earliest_epoch$" and "$timetoken:result.latest_epoch$" as tokens in your other searches like this:

livehybrid_0-1746644500278.png

 

Below is the full JSON of the dashboard so you can have a play around with it - hopefully this helps!

{
    "title": "testing",
    "description": "",
    "inputs": {
        "input_global_trp": {
            "options": {
                "defaultValue": "-24h@h,now",
                "token": "global_time"
            },
            "title": "Global Time Range",
            "type": "input.timerange"
        }
    },
    "defaults": {
        "dataSources": {
            "ds.search": {
                "options": {
                    "queryParameters": {
                        "earliest": "$global_time.earliest$",
                        "latest": "$global_time.latest$"
                    }
                }
            }
        }
    },
    "visualizations": {
        "viz_2FDRkepv": {
            "dataSources": {
                "primary": "ds_IPGx8Y5Y"
            },
            "options": {},
            "type": "splunk.events"
        },
        "viz_V1oldcrB": {
            "options": {
                "markdown": "earliest: $global_time.earliest$  \nlatest: $global_time.latest$  \nearliest_epoch: $timetoken:result.earliest_epoch$   \nlatest_epoch:$timetoken:result.latest_epoch$"
            },
            "type": "splunk.markdown"
        },
        "viz_bhZcZ5Cz": {
            "containerOptions": {},
            "context": {},
            "dataSources": {
                "primary": "ds_KXR2SF6V"
            },
            "options": {},
            "showLastUpdated": false,
            "showProgressBar": false,
            "type": "splunk.table"
        }
    },
    "dataSources": {
        "ds_IPGx8Y5Y": {
            "name": "timetoken",
            "options": {
                "enableSmartSources": true,
                "query": "| makeresults \n|  eval earliest=$global_time.earliest|s$, latest=$global_time.latest|s$\n| eval earliest_epoch = IF(match(earliest,\"[0-9]T[0-9]\"),strptime(earliest, \"%Y-%m-%dT%H:%M:%S.%3N%Z\"),earliest), latest_epoch = IF(match(latest,\"[0-9]T[0-9]\"),strptime(latest, \"%Y-%m-%dT%H:%M:%S.%3N%Z\"),latest)"
            },
            "type": "ds.search"
        },
        "ds_KXR2SF6V": {
            "name": "Search_1",
            "options": {
                "query": "index=_internal earliest=$timetoken:result.earliest_epoch$ latest=$timetoken:result.latest_epoch$\n|  stats count by host"
            },
            "type": "ds.search"
        }
    },
    "layout": {
        "globalInputs": [
            "input_global_trp"
        ],
        "layoutDefinitions": {
            "layout_1": {
                "options": {
                    "display": "auto",
                    "height": 960,
                    "width": 1440
                },
                "structure": [
                    {
                        "item": "viz_V1oldcrB",
                        "position": {
                            "h": 80,
                            "w": 310,
                            "x": 20,
                            "y": 20
                        },
                        "type": "block"
                    },
                    {
                        "item": "viz_2FDRkepv",
                        "position": {
                            "h": 260,
                            "w": 460,
                            "x": 1500,
                            "y": 20
                        },
                        "type": "block"
                    },
                    {
                        "item": "viz_bhZcZ5Cz",
                        "position": {
                            "h": 380,
                            "w": 1420,
                            "x": 10,
                            "y": 140
                        },
                        "type": "block"
                    }
                ],
                "type": "absolute"
            }
        },
        "tabs": {
            "items": [
                {
                    "label": "New tab",
                    "layoutId": "layout_1"
                }
            ]
        }
    }
}

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-05-2025 02:22 AM

Hi @Real_captain ,

if you need to use timestamps in a lookup, you could use a time based lookup, or (better) store your data in a summary index that always has a timestamp, instead of managing filters and time formats.

Ciao.

Giuseppe

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎06-05-2025 02:06 AM

Hi @Real_captain 

The issue is that the format of the $time_token.earliest$ value passed to strptime is not guaranteed to be %Y-%m-%dT%H:%M:%S. The time token earliest/latest values are typically epoch timestamps or relative time strings, not formatted date strings - e.g it might be 2025-06-05T07:45:00 but it could be "-d@d"

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...