Splunk Dev

How to have a graph display today's data by default NOT using default time

twmoffit
Explorer

Hello

I am trying to figure out how to have my graphs display today's data based off of a field value and not the default event time stamps.

Here is my search to create the graph:

sourcetype=oracle:tablespacesize index=gwboracledb DBNAME="$dbname_filt$" TS_NAME="$ts_filt$"
| eval SNAP_DATE=strptime(SNAP_DATE,"%Y-%m-%d %H:%M:%S.%N")
| bin span=1d SNAP_DATE
| eval SNAP_DATE=strftime(SNAP_DATE,"%Y-%m-%d")
| eval today=relative_time(now(),"@d")
| search SNAP_DATE="$ts%date_filt$"
| eval USED_GB = USED_KB/1024/1024
| eval ALLOCATED_GB=ALLOCATED_KB/1024/1024
| eval FREE_GB=FREE_KB/1024/1024
| chart sum(FREE_GB) as "FREE" sum(USED_GB) as "USED" over TS_NAME
| sort limit=10 -num("USED")

As you can see, I am using the "SNAP_DATE" field as the date values in my graph. I also have a dropdown menu element on my panel that gives you the option to select a snap date to view. For some reason, using the "now()" command in the "SNAP_DATE" does not return any values. I tried using an eval line to create a "today" value but that did not seem to work at all and will be removed after posting this.
How can I make it so that there is an option in this dropdown to display today's data?

Thanks for the help

0 Karma

woodcock
Esteemed Legend

Ignore that you sort of know how to do it and pretend that you don't know anything other than what your events look like and what you need. Show us the events and describe what you need. Your existing search and description are confusing me.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi twmoffit,
you have to insert in your main search

earliest="$day$:00:00:00" latest="$day$:23:59:59"

where $day$ is the token of your dropdown.
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...