Solved: Re: How can I get time picker earliest and latest ...

lukasz92 · ‎12-22-2015

Hi,

How can I get 'raw' earliest and latest value before doing search?

I need the epoch seconds format, so -1d@d could be converted to 1450696447.
I know the addinfo command, but for my custom visualization, I need to know it before starting a search (the search string depends on time difference).

Where can I find Splunk timeformat parser in JavaScript?
I know it exists, because there is dynamic evaluation here: http://s29.postimg.org/ha258ed1z/Bez_nazwy.png in each Splunk timepicker

lukasz92 · ‎02-05-2016

My solution includes 'models/services/search/TimeParser'.
resp_obj = (new TimeParser()).sync('read', TimeParser, {data: {time: arg}}); // (arg is the string I want to parse)
Then, after some time - (I don't know how to attach handler for reply from TimeParser query.

Math.Floor((new Date(resp_obj.responseJSON[arg])).getTime() / 1000);

I just looped this with setTimeout.

View solution in original post

kmugglet · ‎06-30-2016

I managed to do it using the relative_time function for use in a dashboard with a timepicker input.

<query>| loadjob savedsearch="foo:bar:buzz" | eval start_time=relative_time(now(),"$token_time.earliest$") | eval end_time=relative_time(now(),"$token_time.latest$") | where _time>=start_time AND _time<=end_time </query>

HTH
Keith

kmugglet · ‎06-30-2016

Umm this isn't about loadjob is it......... DOH

lukasz92 · ‎02-05-2016

My solution includes 'models/services/search/TimeParser'.
resp_obj = (new TimeParser()).sync('read', TimeParser, {data: {time: arg}}); // (arg is the string I want to parse)
Then, after some time - (I don't know how to attach handler for reply from TimeParser query.

Math.Floor((new Date(resp_obj.responseJSON[arg])).getTime() / 1000);

I just looped this with setTimeout.

jplumsdaine22 · ‎02-05-2016

Thanks for updating the answer!

twh1 · ‎10-03-2018

Hi @lukasz92 ,
I have similar issue. I want to convert time picker value to epoch time so that i can put condition. Could you please elaborate more, how you this solution fixed your issue.

sundareshr · ‎01-06-2016

How about gentimes

http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Gentimes

lukasz92 · ‎02-05-2016

I don't want to fire a job for one simple search.

This could take some seconds. With JS I get the answers in 20ms.

jplumsdaine22 · ‎12-30-2015

It's unclear where you need the raw values - your custom viz needs the epoch value? Or does the search string need the epoch value?

For Splunk have a look at the Splunk eval functions relative_time() and strptime() http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/CommonEvalFunctions

If you want to do it in JS use something like var epoch = Math.floor((new Date).getTime()/1000) (or see stack overflow for dozens of variations)

lukasz92 · ‎01-05-2016

I can't write condition _time<30d@d - that is the reason.
I also don't want to start new search for just parsing timestamps (it has to be fast).

my solution includes 'models/services/search/TimeParser'.
resp_obj = (new TimeParser()).sync('read', TimeParser, {data: {time: arg}}) (arg is the string I want to parse)
and after some time
Math.Floor((new Date(resp_obj.responseJSON[arg])).getTime() / 1000)

jplumsdaine22 · ‎01-05-2016

If you have found a solution would you mind posting it as an answer here and accepting it? That way the whole community benefits. Thanks!

How can I get time picker earliest and latest epoch values before doing a search?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?