Solved: Changing how time is displayed based on user input

exocore123 · ‎06-26-2017

I have a dashboard with a range of aggregation span from 1h, 1d, 7d, 1mon. And I want to change how timestamp is displayed depending on the user input for aggregation span, something like this

eval Timestamp=case($span$="1mon", strftime(_time,"%b %Y"), $span$="1d" OR $span$="7d", strftime(_time,"%d %b %Y"))

However, I keep getting a mismatched ) error, not sure how to work around this.

lguinn2 · ‎06-26-2017

I don't really see a problem, but I wonder if it is something to do with the token. Try this and see what happens:

eval Timestamp=case("$span$"="1mon", strftime(_time,"%b %Y"),
                    "$span$"="1d" OR "$span$"="7d", strftime(_time,"%d %b %Y") )

View solution in original post

lguinn2 · ‎06-26-2017

I don't really see a problem, but I wonder if it is something to do with the token. Try this and see what happens:

eval Timestamp=case("$span$"="1mon", strftime(_time,"%b %Y"),
                    "$span$"="1d" OR "$span$"="7d", strftime(_time,"%d %b %Y") )

cmerriman · ‎06-26-2017

Or possible $span|s$ to encase the token value in quotes.
Is that where your search breaks? When you run everything before that eval it works?

exocore123 · ‎06-27-2017

Yep, seems like I had to put the input in quotes, thank you

Changing how time is displayed based on user input

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life