Solved: Get values Time range

Jailson

I have a survey that has a date field deletion_date. How can I filter this field by the
Time range?

sourcetype=access_* status=200 action=purchase | top categoryId
|where deletion_date > ?

Jailson

Thank you for your help, it helped me a lot in solving my problem.

View solution in original post

Jailson

Thank you all for your help, it helped me a lot in solving my problem.

livehybrid

Hi @Jailson

What time format is your deletion_date in?

If so and you plan to use this approach in a dashboard then you can use tokens from the time picker and relative_time to use the time picker as a filter. Note that you will still need to apply an earliest/latest to your main part of the search, this will only filter.

<form version="1.1" theme="light">
  <label>xmltest</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults 
| eval deletion_date=now()-7200
| where deletion_date&gt;relative_time(now(),"$field1.earliest$")</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Jailson

Thank you for your help, it helped me a lot in solving my problem.

gcusello

Hi @Jailson ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

gcusello

Hi @Jailson ,

the timepicker works only on _time and not on a field like deletion_date.

If you want to filter your data using this filter you have to add it to the main search.

In addition after the top command you have only the fields in the command, in your case: categoryId, perc, count.

If you want to filter your data for deletion_date, you have to put this filter in the main search or before the top command, obviously, if you have this field in your data.

The syntax depends on the format of yor deletion_date field, e.g. if it's in format "yyyy-mm-dd" and you want to filter results if deletion_date>2024-12-31, you should use something like this:

sourcetype=access_* status=200 action=purchase 
| eval 
     deletion_date_epoch=strptime(deletion_date,"%Y-%m-%d"),
     deletion_date_filter_epoch=strptime("2024-12-31","%Y-%m-%d")
| where deletion_date_epoch>deletion_date_filter_epoch
| top categoryId

Ciao.

Giuseppe

kiran_panchavat

@Jailson

What exactly are you looking for? Could you elaborate a bit more?

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.

Get values Time range

timechart

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk