Splunk Search

Get values Time range

Jailson
Explorer

I have a survey that has a date field deletion_date. How can I filter this field by the
Time range?

 

 

sourcetype=access_* status=200 action=purchase | top categoryId
|where deletion_date > ?

 

 

Date.PNG

 

 

Labels (1)
0 Karma
1 Solution

Jailson
Explorer

Thank you for your help, it helped me a lot in solving my problem.

View solution in original post

0 Karma

Jailson
Explorer

Thank you all for your help, it helped me a lot in solving my problem.

0 Karma

livehybrid
Champion

Hi @Jailson 

What time format is your deletion_date in?

If so and you plan to use this approach in a dashboard then you can use tokens from the time picker and relative_time to use the time picker as a filter. Note that you will still need to apply an earliest/latest to your main part of the search, this will only filter.

<form version="1.1" theme="light">
  <label>xmltest</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults 
| eval deletion_date=now()-7200
| where deletion_date&gt;relative_time(now(),"$field1.earliest$")</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma

Jailson
Explorer

Thank you for your help, it helped me a lot in solving my problem.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Jailson ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Jailson ,

the timepicker works only on _time and not on a field like deletion_date.

If you want to filter your data using this filter you have to add it to the main search.

In addition after the top command you have only the fields in the command, in your case: categoryId, perc, count.

If you want to filter your data for deletion_date, you have to put this filter in the main search or before the top command, obviously, if you have this field in your data.

The syntax depends on the format of yor deletion_date field, e.g. if it's in format "yyyy-mm-dd" and you want to filter results if deletion_date>2024-12-31, you should use something like this:

sourcetype=access_* status=200 action=purchase 
| eval 
     deletion_date_epoch=strptime(deletion_date,"%Y-%m-%d"),
     deletion_date_filter_epoch=strptime("2024-12-31","%Y-%m-%d")
| where deletion_date_epoch>deletion_date_filter_epoch
| top categoryId

Ciao.

Giuseppe

0 Karma

kiran_panchavat
Influencer

@Jailson 

What exactly are you looking for? Could you elaborate a bit more?

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...

Enterprise Security Content Update (ESCU) | New Releases

In March, the Splunk Threat Research Team had 2 releases of security content via the Enterprise Security ...

Join the Splunk Developer Program Hackathon: Splunk Build-a-thon!

The Splunk Developer Program is launching in beta, and we’re celebrating with an exciting hackathon! This is ...