Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to convert earliest and latest into String values?

celsohso
Path Finder
‎02-10-2015 11:57 AM

I would like to convert a earliest and latest time and concatenate in a string value, so I could have that in my Dashboard. E.g.
"Report: January 1 – 31, 2015"

index=main | head 4 | eval desired_time=strftime(now(), "%B") | eval month_year=strftime(now(),"%d %Y") | eval fulldate = desired_time." ".month_year | table fulldate, _time
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-10-2015 01:10 PM

Not sure I understand completely, but stats first()/last() will give you youngest and oldest event timestamp for any given search (does not necessarily match earliest/latest). Example:

index=main earliest=-2d | stats last(_time) as earliest first(_time) as latest 
| eval startDate=strftime(earliest, "%B %d %Y") 
| eval endDate=strftime(latest, "%B %d %Y") 
| eval reportstring = "Report: ".startDate."-".endDate
| fields reportstring

If that's not what you meant, please clarify your requirement.

View solution in original post

Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-10-2015 01:10 PM

Not sure I understand completely, but stats first()/last() will give you youngest and oldest event timestamp for any given search (does not necessarily match earliest/latest). Example:

index=main earliest=-2d | stats last(_time) as earliest first(_time) as latest 
| eval startDate=strftime(earliest, "%B %d %Y") 
| eval endDate=strftime(latest, "%B %d %Y") 
| eval reportstring = "Report: ".startDate."-".endDate
| fields reportstring

If that's not what you meant, please clarify your requirement.

Reply
Solved! Jump to solution

celsohso
Path Finder
‎02-10-2015 02:18 PM

ssievert_splunk,

Your answer plus the link you gave me work perfectly.

thank you so much for all your help, outstanding!

Reply
Solved! Jump to solution

celsohso
Path Finder
‎02-10-2015 01:31 PM

ssievert_splunk

I was asked to add a Header to my report with the timeframe I am reporting for. E.g. "Report: January 1 – 31, 2015", so that it would show up as a header on all the PDF pages.

I don't know why this search is not working for me

Thanks a lot for your help so far

0 Karma
Reply
Solved! Jump to solution

celsohso
Path Finder
‎02-10-2015 01:32 PM

I would like to use:

earliest=-30d@d and latest=@d

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-10-2015 01:36 PM

you can use whatever values you need for your earliest/latest search timeframe constraints.

This answer here, I think, is what you are really asking, i.e. how can you put the report timeframe at the top of a report so that it gets captured in the PDF when delivered. The answer shows how to use a single-value panel at the top of your report that you can populate with the String you wish to use. I showed you above how to put together that string.

BTW, what version of Splunk are you using?

Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
li.common.scroll-to.top