Splunk Search
Highlighted

Can I pass an indexed Date value to the time picker?

Explorer

As far as I know the time picker searches based on the time that the data was indexed in Splunk. I need to search based on the Date values in the events in the dataset. Is this possible?

0 Karma
Highlighted

Re: Can I pass an indexed Date value to the time picker?

SplunkTrust
SplunkTrust

The timerange picker works on field _time which is the timestamp of the event/data (it depends upon how you've parsed the timestamp for your data). This Date value in your data, is it not same with _time field? Have a look at this

https://www.splunk.com/blog/2016/09/16/i-cant-make-my-time-range-picker-pick.html

Highlighted

Re: Can I pass an indexed Date value to the time picker?

Explorer

The data I have indexed has Date and Time fields for when the data was initially created, not when it was put in to Splunk. I'd like to be able to search by that Date and Time instead of the _time field.

I did look over that link earlier but it looks like you can only get as specific as the day. Does that method allow the search to be narrowed to hour/minute like the default time range picker?

Sorry I'm pretty new to Splunk so if I'm missing some basic concept here I apologize.

0 Karma
Highlighted

Re: Can I pass an indexed Date value to the time picker?

SplunkTrust
SplunkTrust

First, if you've setup your event timestamp (which is _time field) to be extracted from those Date and Time fields, then your timerange would work as you expect. Guessing that's not the case (that's why we're discussing this).

Second, that approach would work on any timerange that you'd select. In that post, they override the _time field value with another date/time field, which was just the date in sample data. If your Date and Time field has more precision, you can filter for more specific time range. Like this (your main search should have a time range large enough to select all data that you need, the subsearches would use default time range picker values) (assuming YourDateField is date field from your data with value in the format YYYY-mm-dd and YourTime field is time field from your data with value in the format HH:MM:SS)

index=foo sourcetype=bar earliest=0 latest=now()
| eval _time=strptime(YourDateField." ".YourTimeField,"%Y-%m-%d %H:%M:%S")
| where _time>=[| gentimes start=-1 | addinfo | eval search=info_min_time | table search] AND _time<[| gentimes start=-1 | addinfo | eval search=info_max_time | table search]

The addinfo command create field infomintime and infomaxtime which are the earliest and latest value of the timerange applied to it.

Highlighted

Re: Can I pass an indexed Date value to the time picker?

Explorer

I tried following that website's example and I think I'm close, but my search is not displaying all of the events in the specified time range.

The infomintime and infomaxtime are both being calculated correctly and my where statement should also be fine because the _time has been set to the value of the Date field I need. So all of the values are calculated correctly but for some reason my search is leaving out some of the events in the time range.

base search
| eval CA7_DateTime = CA7_Date + " " + CA7_Time
| eval _time=strptime(CA7_DateTime,"%Y-%m-%d %H:%M")
| addinfo
| where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")
| eval CA7_FCOMP=if(CA7_FCOMP="n/a"," ",CA7_FCOMP)
| eval CA7_Abend=if(CA7_Abend="n/a"," ",CA7_Abend)
| table CA7_Number CA7_DateTime CA7_Jobname CA7_Abend CA7_FCOMP CA7_Reason

Searching by All Time displays everything correctly but if I try viewing specific days, events are left out.

0 Karma
Highlighted

Re: Can I pass an indexed Date value to the time picker?

Esteemed Legend

You are incorrect. Splunk searches based on the time that the event was stamped and YOU control that. You need to setup your input correctly using TIME_PREFIX=, MAX_TIMESTAMP_LOOKAHEAD=, and TIME_FORMAT= inside of props.conf for your source or sourcetype. Some silly people do use DATETIME_CONFIG=CURRENT to make Splunk set the time to the time the event was indexed but this is very uncommon and short-sighted and almost always the wrong approach.

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.