in below query its showing time picker data or time as per time picker. but i want if i select last 30 days in time picker it should show date of last 30 days ,if i select date range it should be show same date in my coloum and if select last last month it should be showing date on start date
tsest _time
<input type="time" token="timepicker">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<panel>
<table>
<search>
<query>| makeresults |eval start_date="$timepicker.earliest$", end_date="$timepicker.latest$"|table start_date,end_date</query>
<earliest>$timepicker.earliest$</earliest>
<latest>$timepicker.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
Is your issue fixed?
@abhishekdubey006 refer to one of my older answer where based on the time picker selection, the earliest and latest time is set as String Time and Epoch Time (along with duration) using two options. https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html
Please try out and confirm!
Hi,
As per my understanding, I have designed the below query which prints the start date and end date according to the date selected in the time picker,
| makeresults
| eval start_date="$timepicker.earliest$", end_date="$timepicker.latest$"
| eval x = if(isnum(start_date),start_date,relative_time(now(), start_date))
| eval y = if(isnum(end_date),end_date,case(end_date == "now", now(), end_date == "", now(), 1=1,relative_time(now(), end_date)))
| convert timeformat="%d-%m-%Y %H:%M:%S" ctime(x) AS StartDate
| convert timeformat="%d-%m-%Y %H:%M:%S" ctime(y) AS EndDate
| table StartDate, EndDate
It handles all the cases, which are present in the time picker except real time as make result doesn't support that.
Supported cases are given below,
Note:
Happy Splunking!!!
Hi.
If you are looking to display the date, you can do the following:
| makeresults |stats earliest(_time) as start_date, latest(_time) as end_date
|eval start_date=strftime(start_date, "%D"), end_date=strftime(end_date, "%D")
|table start_date,end_date