Splunk Search

How can I get time picker earliest and latest epoch values before doing a search?

lukasz92
Communicator

Hi,

How can I get 'raw' earliest and latest value before doing search?

I need the epoch seconds format, so -1d@d could be converted to 1450696447.
I know the addinfo command, but for my custom visualization, I need to know it before starting a search (the search string depends on time difference).

Where can I find Splunk timeformat parser in JavaScript?
I know it exists, because there is dynamic evaluation here: http://s29.postimg.org/ha258ed1z/Bez_nazwy.png in each Splunk timepicker

1 Solution

lukasz92
Communicator

My solution includes 'models/services/search/TimeParser'.
resp_obj = (new TimeParser()).sync('read', TimeParser, {data: {time: arg}}); // (arg is the string I want to parse)
Then, after some time - (I don't know how to attach handler for reply from TimeParser query.

Math.Floor((new Date(resp_obj.responseJSON[arg])).getTime() / 1000);

I just looped this with setTimeout.

View solution in original post

kmugglet
Communicator

I managed to do it using the relative_time function for use in a dashboard with a timepicker input.

<query>| loadjob savedsearch="foo:bar:buzz" | eval start_time=relative_time(now(),"$token_time.earliest$") | eval end_time=relative_time(now(),"$token_time.latest$") | where _time>=start_time AND _time<=end_time </query> 

HTH
Keith

kmugglet
Communicator

Umm this isn't about loadjob is it......... DOH

0 Karma

lukasz92
Communicator

My solution includes 'models/services/search/TimeParser'.
resp_obj = (new TimeParser()).sync('read', TimeParser, {data: {time: arg}}); // (arg is the string I want to parse)
Then, after some time - (I don't know how to attach handler for reply from TimeParser query.

Math.Floor((new Date(resp_obj.responseJSON[arg])).getTime() / 1000);

I just looped this with setTimeout.

jplumsdaine22
Influencer

Thanks for updating the answer!

twh1
Communicator

Hi @lukasz92 ,
I have similar issue. I want to convert time picker value to epoch time so that i can put condition. Could you please elaborate more, how you this solution fixed your issue.

0 Karma

lukasz92
Communicator

I don't want to fire a job for one simple search.

This could take some seconds. With JS I get the answers in 20ms.

0 Karma

jplumsdaine22
Influencer

It's unclear where you need the raw values - your custom viz needs the epoch value? Or does the search string need the epoch value?

For Splunk have a look at the Splunk eval functions relative_time() and strptime() http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/CommonEvalFunctions

If you want to do it in JS use something like var epoch = Math.floor((new Date).getTime()/1000) (or see stack overflow for dozens of variations)

lukasz92
Communicator

I can't write condition _time<30d@d - that is the reason.
I also don't want to start new search for just parsing timestamps (it has to be fast).

my solution includes 'models/services/search/TimeParser'.
resp_obj = (new TimeParser()).sync('read', TimeParser, {data: {time: arg}}) (arg is the string I want to parse)
and after some time
Math.Floor((new Date(resp_obj.responseJSON[arg])).getTime() / 1000)

jplumsdaine22
Influencer

If you have found a solution would you mind posting it as an answer here and accepting it? That way the whole community benefits. Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...