Solved: Get values Time range

Jailson · ‎03-06-2025

I have a survey that has a date field deletion_date. How can I filter this field by the
Time range?

sourcetype=access_* status=200 action=purchase | top categoryId
|where deletion_date > ?

Jailson · ‎03-18-2025

Thank you for your help, it helped me a lot in solving my problem.

View solution in original post

Jailson · ‎03-18-2025

Thank you all for your help, it helped me a lot in solving my problem.

livehybrid · ‎03-06-2025

Hi @Jailson

What time format is your deletion_date in?

If so and you plan to use this approach in a dashboard then you can use tokens from the time picker and relative_time to use the time picker as a filter. Note that you will still need to apply an earliest/latest to your main part of the search, this will only filter.

<form version="1.1" theme="light">
  <label>xmltest</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults 
| eval deletion_date=now()-7200
| where deletion_date&gt;relative_time(now(),"$field1.earliest$")</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Jailson · ‎03-18-2025

Thank you for your help, it helped me a lot in solving my problem.

gcusello · ‎03-19-2025

Hi @Jailson ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

gcusello · ‎03-06-2025

Hi @Jailson ,

the timepicker works only on _time and not on a field like deletion_date.

If you want to filter your data using this filter you have to add it to the main search.

In addition after the top command you have only the fields in the command, in your case: categoryId, perc, count.

If you want to filter your data for deletion_date, you have to put this filter in the main search or before the top command, obviously, if you have this field in your data.

The syntax depends on the format of yor deletion_date field, e.g. if it's in format "yyyy-mm-dd" and you want to filter results if deletion_date>2024-12-31, you should use something like this:

sourcetype=access_* status=200 action=purchase 
| eval 
     deletion_date_epoch=strptime(deletion_date,"%Y-%m-%d"),
     deletion_date_filter_epoch=strptime("2024-12-31","%Y-%m-%d")
| where deletion_date_epoch>deletion_date_filter_epoch
| top categoryId

Ciao.

Giuseppe

kiran_panchavat · ‎03-06-2025

@Jailson

What exactly are you looking for? Could you elaborate a bit more?

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

Get values Time range

timechart

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

Get values Time range

timechart

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers