Splunk Enterprise

How to create time/date token for a dbxlookup?

genesiusj
Builder

Hello,

Need to create a date/time token for a dbxlookup. The default values for start needs to be Thursday from the previous week, and the end needs to be Monday from the current week.

Here is the dbxlookup command.

 

| dbxquery connection="SPLUNK" maxrows=0 query="select * 
from VW_SPLUNK 
where to_date (TO_CHAR (create_date_time, 'yyyy-mm-dd hh24:mi:ss'), 'yyyy-mm-dd hh24:mi:ss') 
between to_date ('$tokFromDate1$ $tok_startTime$','yyyy-mm-dd hh24:mi:ss') AND to_date ('$tokToDate1$ $tok_EndTime$','yyyy-mm-dd hh24:mi:ss') "

 

Here is the XML I have for the tokens.

 

      <input type="radio" token="tok_toggleTime">
        <label>Select date: Thu-Mon vs Mon-Thu</label>
        <choice value="ThM">Last Thursday to Monday</choice>
        <choice value="MTh">Last Monday to Thursday</choice>
        <change>
          <condition value="ThM">
            <set token="tok_startTime1">06:45:00</set>
            <set token="tok_endTime1">09:30:00</set>
            <set token="tok_textStartTime">1</set>
    <set token="tokFromDate1">@w0-3d</set>
    <set token="tokToDate1">@w0+1d</set>          
          </condition>
          <condition value="MTh">
            <set token="tok_startTime1">06:45:00</set>
            <set token="tok_endTime1">09:30:00</set>
            <set token="tok_textEndTime">1</set>
    <set token="tokFromDate1">@w0+1d</set>
    <set token="tokToDate1">@w0-3d</set>          
          </condition>
        </change>
      </input>
      <input type="text" token="tok_startTime" searchWhenChanged="true">
        <label>Start Time - Can enter new time</label>
        <default>$tok_startTime1$</default>
        <suffix/>
      </input>
      <input type="text" token="tok_endTime" searchWhenChanged="true">
        <label>End Time - Can enter new time</label>
        <default>$tok_endTime1$</default>
        <suffix/>
      </input>

 

 

Thanks and God bless,
Genesius

Labels (1)
0 Karma
1 Solution

genesiusj
Builder

I figured out the solution.

Use eval instead of set in the <condition>. Then use relative_time and time modifiers.
See the final input XML code below (showing only one condition for brevity).

    <input type="radio" token="tok_toggleTime">
      <label>Select preset days</label>
      <choice value="ThM">Last Thursday to Monday</choice>
:
:
      <change>
        <condition value="ThM">
          <set token="tok_fromTime1">06:45:00</set>
          <set token="tok_toTime1">06:45:00</set>
          <eval token="tok_fromDate1">strftime(relative_time(now(),"@w-3d"),"%Y-%m-%d")</eval>
          <eval token="tok_toDate1">strftime(relative_time(now(),"@w+1d"),"%Y-%m-%d")</eval>
        </condition>
      </change>
    </input>

Thanks and God bless,
Genesius

View solution in original post

0 Karma

genesiusj
Builder

I figured out the solution.

Use eval instead of set in the <condition>. Then use relative_time and time modifiers.
See the final input XML code below (showing only one condition for brevity).

    <input type="radio" token="tok_toggleTime">
      <label>Select preset days</label>
      <choice value="ThM">Last Thursday to Monday</choice>
:
:
      <change>
        <condition value="ThM">
          <set token="tok_fromTime1">06:45:00</set>
          <set token="tok_toTime1">06:45:00</set>
          <eval token="tok_fromDate1">strftime(relative_time(now(),"@w-3d"),"%Y-%m-%d")</eval>
          <eval token="tok_toDate1">strftime(relative_time(now(),"@w+1d"),"%Y-%m-%d")</eval>
        </condition>
      </change>
    </input>

Thanks and God bless,
Genesius

0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...