Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to change the default time range in search?

mohanbangw
New Member
‎08-11-2016 06:02 PM

I have below data

LOG_DATE MSG_RECV_DATE
20160809 20160809
20160809 20160809
20160809 20160809
20160810 20160809
20160810 20160809
20160810 20160809

The Splunk time range is based on LOG_DATE

In the dashboard have the date filter, if select 20160809 it display the count as 3 instead of 6. The graph is plotted for span of 15 min for the selected date. Below is the code snippet. The root cause is it searching based on the selected date in the LOG_DATE and not in the MSG_RECV_DATE because the time range field is mapped to LOG_DATE

sourcetype=test | eval PaymentRecvDateTime= MSG_RECV_DATE.MSG_RECV_TIME | eval PaymentRecvDateTimeEpoch= strptime(PaymentRecvDateTime,"%Y%m%d%H%M%S")| bucket PaymentRecvDateTimeEpoch span=15m | stats dc(LOG_REF_ID) as PaymentCount by PaymentRecvDateTimeEpoch | search PaymentRecvDateTimeEpoch<=$ENDDATEEPOCH$ PaymentRecvDateTimeEpoch>=$STARTDATEEPOCH$ | rename PaymentRecvDateTimeEpoch AS _time |timechart span=15m sum(PaymentCount) as count
0 Karma
Reply

sundareshr
Legend
‎08-11-2016 06:54 PM

Try this

index=xyz MSG_RECV_DATE>=[| makeresults | eval search=strftime(relative_time(now() , "$timepicker.earliest$"), "%Y%m%d") | fields search] MSG_RECV_DATE<=[| makeresults | eval search=strftime(relative_time(now() , "$timepicker.latest$"), "%Y%m%d") | fields search] | rest of your search here

Or try this

index=xyz [| makeresults | eval l=strftime($ENDDATEEPOCH$, "%Y%m%d") |  eval e=strftime($STARTDATEEPOCH$, "%Y%m%d")  | eval search="(MSG_RECV_DATE>=".e." AND MSG_RECV_DATE<=".l.")" | table search ]
0 Karma
Reply

mohanbangw
New Member
‎08-11-2016 09:08 PM

My drop down is MESG_RECV_DATE and not the LOG_DATE

0 Karma
Reply

sundareshr
Legend
‎08-12-2016 04:28 AM

Not sure I understand. Are you not using a timepicker? If you aren't can you restate what it is you're trying to do

0 Karma
Reply

maclel
Engager
‎08-11-2016 06:42 PM

Are you wanting to have the time range picker on a dashboard (Add Input > Time) not to search on the Splunk "_time" value which is default of when the event was indexed. But that of the timestamp found within the event itself "_raw"?

0 Karma
Reply

mohanbangw
New Member
‎08-11-2016 07:02 PM

my problem is LOG_DATE is the _time field (defined in splunk) and while dashboard search I want ALL the LOG_DATE not for a particular date after selected from drop down.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...