Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Convert timepicker token to epoch time for eval, regardless of timepicker combination

dojiepreji
Path Finder
‎01-22-2019 10:12 PM

I need to compare my timepicker values (timePicker token) to the field date_e which returns an epoch value.

I convert my timepicker to epoch using if command.

My search goes something like this,

| eval e = if(isnum($timePicker.earliest$), $timePicker.earliest$, relative_time(now(), "$timePicker.earliest$")) 
| eval l = if(isnum($timePicker.latest$), $timePicker.latest$, relative_time(now(), "$timePicker.latest$")) 
| where date_e>= e AND date_e<= l

This is fine if the user selects two dates using 'Between' in timepicker.
However, if the user chooses 'Month to Date', I encounter an error

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '@mon), @mon, relative_time(now(), "@mon"))".

Can anybody please help me out?

0 Karma
Reply

BernardEAI
Communicator
‎06-03-2021 11:32 PM

I have been trying to get this right for a while.  I used to make use of this format:

<eval token="earliest_epoch">if(isnum($p2_period.earliest$),$p2_period.earliest$,relative_time(now(),$p2_period.earliest$))</eval>

I had that code in a dummy search that would run when I hit the "Submit" button, and in the <change> tag for the time input. 

This seemed to work well, until it stopped working (we upgraded to Splunk 8 from 7 and I think this is when it stopped working. This is reported here as well, the problem revolves around the isnum check: https://community.splunk.com/t5/Splunk-Enterprise/xml-Check-if-a-value-is-a-number/m-p/554255#M5996 )

I eventually decided to go over to javascript to solve this. I now have the following code in the "submit" event (gets triggered on the "Submit" button click):

    service.oneshotSearch("| makeresults | eval time=\"" + earliest_time + "\" \
                           | append [ | makeresults | eval time=\"" + latest_time + "\"] \
                           | eval time_e = if(isnum(time),time,relative_time(now(),time))"   , {
        output_mode: "JSON"
    }, function (err, results) {
        if (err) {
            console.error(err);
        } else {   
            earliest_time_e = results.results[0]['time_e']
            console.log(earliest_time_e );
            latest_time_e = results.results[1]['time_e']
            console.log(latest_time_e );

            var now_time_e = Math.round(Date.now()/1000)
            var diff_time_e = now_time_e - earliest_time_e
            
            //set any tokens needed   
            mvc.Components.getInstance('submitted').set('earliest_time_e',earliest_time_e );
            
            // rest of code.......
  

            }

        }});

 

The oneShotSearch executes this type of search (this one adds an eval to produce a 2 week plus and 2 week minus time as well):

| makeresults | eval time=1620079200 
| append [ | makeresults | eval time=1622671200]

| eval time_e = if(isnum(time),time,relative_time(now(),time))
| eval time_min_2w = relative_time(time_e,"-2w")
| eval time_plus_2w = relative_time(time_e,"+2w")

  

In this way you can to any type of time manipulation and set your tokens, allowing a lot of flexibility.

Reply

p_gurav
Champion
‎01-23-2019 12:39 AM

Try using :

your search ..| appendcols  [|gentimes start=-1 | addinfo | table info_max_time, info_min_time] | where date_e>= info_min_time AND date_e<= info_max_time
0 Karma
Reply

dojiepreji
Path Finder
‎01-23-2019 01:13 AM

I'm sorry but I'm not using timepickers to filter the search itself, which is why I don't think I can use info_min_time and info_max_time. I'm only using the timepicker to compare it to date_e. My time range for this table is set to 'Global'.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...