Splunk Search

How to change the default time range in search?

New Member

I have below data

LOG_DATE MSG_RECV_DATE
20160809 20160809
20160809 20160809
20160809 20160809
20160810 20160809
20160810 20160809
20160810 20160809

The Splunk time range is based on LOG_DATE

In the dashboard have the date filter, if select 20160809 it display the count as 3 instead of 6. The graph is plotted for span of 15 min for the selected date. Below is the code snippet. The root cause is it searching based on the selected date in the LOG_DATE and not in the MSG_RECV_DATE because the time range field is mapped to LOG_DATE

sourcetype=test | eval PaymentRecvDateTime= MSG_RECV_DATE.MSG_RECV_TIME | eval PaymentRecvDateTimeEpoch= strptime(PaymentRecvDateTime,"%Y%m%d%H%M%S")| bucket PaymentRecvDateTimeEpoch span=15m | stats dc(LOG_REF_ID) as PaymentCount by PaymentRecvDateTimeEpoch | search PaymentRecvDateTimeEpoch<=$ENDDATEEPOCH$ PaymentRecvDateTimeEpoch>=$STARTDATEEPOCH$ | rename PaymentRecvDateTimeEpoch AS _time |timechart span=15m sum(PaymentCount) as count
0 Karma

Legend

Try this

index=xyz MSG_RECV_DATE>=[| makeresults | eval search=strftime(relative_time(now() , "$timepicker.earliest$"), "%Y%m%d") | fields search] MSG_RECV_DATE<=[| makeresults | eval search=strftime(relative_time(now() , "$timepicker.latest$"), "%Y%m%d") | fields search] | rest of your search here 

Or try this

index=xyz [| makeresults | eval l=strftime($ENDDATEEPOCH$, "%Y%m%d") |  eval e=strftime($STARTDATEEPOCH$, "%Y%m%d")  | eval search="(MSG_RECV_DATE>=".e." AND MSG_RECV_DATE<=".l.")" | table search ]
0 Karma

New Member

My drop down is MESG_RECV_DATE and not the LOG_DATE

0 Karma

Legend

Not sure I understand. Are you not using a timepicker? If you aren't can you restate what it is you're trying to do

0 Karma

Engager

Are you wanting to have the time range picker on a dashboard (Add Input > Time) not to search on the Splunk "_time" value which is default of when the event was indexed. But that of the timestamp found within the event itself "_raw"?

0 Karma

New Member

my problem is LOG_DATE is the _time field (defined in splunk) and while dashboard search I want ALL the LOG_DATE not for a particular date after selected from drop down.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!