Splunk Search

Convert timepicker token to epoch time for eval, regardless of timepicker combination

Path Finder

I need to compare my timepicker values (timePicker token) to the field date_e which returns an epoch value.

I convert my timepicker to epoch using if command.

My search goes something like this,

| eval e = if(isnum($timePicker.earliest$), $timePicker.earliest$, relative_time(now(), "$timePicker.earliest$")) 
| eval l = if(isnum($timePicker.latest$), $timePicker.latest$, relative_time(now(), "$timePicker.latest$")) 
| where date_e>= e AND date_e<= l

This is fine if the user selects two dates using 'Between' in timepicker.
However, if the user chooses 'Month to Date', I encounter an error

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '@mon), @mon, relative_time(now(), "@mon"))".

Can anybody please help me out?

0 Karma


Try using :

your search ..| appendcols  [|gentimes start=-1 | addinfo | table info_max_time, info_min_time] | where date_e>= info_min_time AND date_e<= info_max_time
0 Karma

Path Finder

I'm sorry but I'm not using timepickers to filter the search itself, which is why I don't think I can use info_min_time and info_max_time. I'm only using the timepicker to compare it to date_e. My time range for this table is set to 'Global'.

0 Karma