Splunk Search

How can I get time picker earliest and latest epoch values before doing a search?

Communicator

Hi,

How can I get 'raw' earliest and latest value before doing search?

I need the epoch seconds format, so -1d@d could be converted to 1450696447.
I know the addinfo command, but for my custom visualization, I need to know it before starting a search (the search string depends on time difference).

Where can I find Splunk timeformat parser in JavaScript?
I know it exists, because there is dynamic evaluation here: http://s29.postimg.org/ha258ed1z/Bez_nazwy.png in each Splunk timepicker

0 Karma
1 Solution

Communicator

My solution includes 'models/services/search/TimeParser'.
resp_obj = (new TimeParser()).sync('read', TimeParser, {data: {time: arg}}); // (arg is the string I want to parse)
Then, after some time - (I don't know how to attach handler for reply from TimeParser query.

Math.Floor((new Date(resp_obj.responseJSON[arg])).getTime() / 1000);

I just looped this with setTimeout.

View solution in original post

0 Karma

Communicator

I managed to do it using the relative_time function for use in a dashboard with a timepicker input.

<query>| loadjob savedsearch="foo:bar:buzz" | eval start_time=relative_time(now(),"$token_time.earliest$") | eval end_time=relative_time(now(),"$token_time.latest$") | where _time>=start_time AND _time<=end_time </query> 

HTH
Keith

Communicator

Umm this isn't about loadjob is it......... DOH

0 Karma

Communicator

My solution includes 'models/services/search/TimeParser'.
resp_obj = (new TimeParser()).sync('read', TimeParser, {data: {time: arg}}); // (arg is the string I want to parse)
Then, after some time - (I don't know how to attach handler for reply from TimeParser query.

Math.Floor((new Date(resp_obj.responseJSON[arg])).getTime() / 1000);

I just looped this with setTimeout.

View solution in original post

0 Karma

Influencer

Thanks for updating the answer!

Communicator

Hi @lukasz92 ,
I have similar issue. I want to convert time picker value to epoch time so that i can put condition. Could you please elaborate more, how you this solution fixed your issue.

0 Karma

Legend
0 Karma

Communicator

I don't want to fire a job for one simple search.

This could take some seconds. With JS I get the answers in 20ms.

0 Karma

Influencer

It's unclear where you need the raw values - your custom viz needs the epoch value? Or does the search string need the epoch value?

For Splunk have a look at the Splunk eval functions relative_time() and strptime() http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/CommonEvalFunctions

If you want to do it in JS use something like var epoch = Math.floor((new Date).getTime()/1000) (or see stack overflow for dozens of variations)

0 Karma

Communicator

I can't write condition _time<30d@d - that is the reason.
I also don't want to start new search for just parsing timestamps (it has to be fast).

my solution includes 'models/services/search/TimeParser'.
resp_obj = (new TimeParser()).sync('read', TimeParser, {data: {time: arg}}) (arg is the string I want to parse)
and after some time
Math.Floor((new Date(resp_obj.responseJSON[arg])).getTime() / 1000)

0 Karma

Influencer

If you have found a solution would you mind posting it as an answer here and accepting it? That way the whole community benefits. Thanks!

0 Karma