Splunk Search

Convert timepicker token to epoch time for eval, regardless of timepicker combination

dojiepreji
Path Finder

I need to compare my timepicker values (timePicker token) to the field date_e which returns an epoch value.

I convert my timepicker to epoch using if command.

My search goes something like this,

| eval e = if(isnum($timePicker.earliest$), $timePicker.earliest$, relative_time(now(), "$timePicker.earliest$")) 
| eval l = if(isnum($timePicker.latest$), $timePicker.latest$, relative_time(now(), "$timePicker.latest$")) 
| where date_e>= e AND date_e<= l

This is fine if the user selects two dates using 'Between' in timepicker.
However, if the user chooses 'Month to Date', I encounter an error

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '@mon), @mon, relative_time(now(), "@mon"))".

Can anybody please help me out?

0 Karma

BernardEAI
Communicator

I have been trying to get this right for a while.  I used to make use of this format:

<eval token="earliest_epoch">if(isnum($p2_period.earliest$),$p2_period.earliest$,relative_time(now(),$p2_period.earliest$))</eval>

I had that code in a dummy search that would run when I hit the "Submit" button, and in the <change> tag for the time input. 

This seemed to work well, until it stopped working (we upgraded to Splunk 8 from 7 and I think this is when it stopped working. This is reported here as well, the problem revolves around the isnum check: https://community.splunk.com/t5/Splunk-Enterprise/xml-Check-if-a-value-is-a-number/m-p/554255#M5996 )

I eventually decided to go over to javascript to solve this. I now have the following code in the "submit" event (gets triggered on the "Submit" button click):

    service.oneshotSearch("| makeresults | eval time=\"" + earliest_time + "\" \
                           | append [ | makeresults | eval time=\"" + latest_time + "\"] \
                           | eval time_e = if(isnum(time),time,relative_time(now(),time))"   , {
        output_mode: "JSON"
    }, function (err, results) {
        if (err) {
            console.error(err);
        } else {   
            earliest_time_e = results.results[0]['time_e']
            console.log(earliest_time_e );
            latest_time_e = results.results[1]['time_e']
            console.log(latest_time_e );

            var now_time_e = Math.round(Date.now()/1000)
            var diff_time_e = now_time_e - earliest_time_e
            
            //set any tokens needed   
            mvc.Components.getInstance('submitted').set('earliest_time_e',earliest_time_e );
            
            // rest of code.......
  

            }

        }});  

 

The oneShotSearch executes this type of search (this one adds an eval to produce a 2 week plus and 2 week minus time as well):

| makeresults | eval time=1620079200 
| append [ | makeresults | eval time=1622671200]

| eval time_e = if(isnum(time),time,relative_time(now(),time))
| eval time_min_2w = relative_time(time_e,"-2w")
| eval time_plus_2w = relative_time(time_e,"+2w")

  

In this way you can to any type of time manipulation and set your tokens, allowing a lot of flexibility.

p_gurav
Champion

Try using :

your search ..| appendcols  [|gentimes start=-1 | addinfo | table info_max_time, info_min_time] | where date_e>= info_min_time AND date_e<= info_max_time
0 Karma

dojiepreji
Path Finder

I'm sorry but I'm not using timepickers to filter the search itself, which is why I don't think I can use info_min_time and info_max_time. I'm only using the timepicker to compare it to date_e. My time range for this table is set to 'Global'.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!