Solved: How to detect "now" and turn it into a real date?

Ste

Dear experts

In my dashboard I have a time picker providing the token t_time.

My search

index="abc" search_name="def"  [| makeresults
              | eval earliest=relative_time($t_time.latest$,"-1d@d")
              | eval latest=relative_time($t_time.latest$,"@d")
              | fields earliest latest
              | format]
            | table _time zbpIdentifier

Should pick up that token and make sure only data is displayed from the last full day before t_time.latest.

2024-12-12 13:13 should be converted to

earliest = 2024-12-11 00:00

latest = 2024-12-11 23:59:59 (or 2024-12-12 00:00)

As long really two dates are selected in the time picker, all works as expected.

If e.g. last 7 days is selected the search fails, no data is returned.

I'm guessing that in relative mode $t_time.latest$ is represented with something like "now", which causes problems for the relative_date function.

So the question is: how to detect this "now" and turn it into a date understood by relative_date?

bowesmana

@Ste The solution is to use addinfo, if you make the search based on the time picker, then use addinfo in the subsearch, it will generate info_max_time, which is the normalised end epoch time for the time picker, then you can use that in your subsearch instead, i.e.

index="_audit" [| makeresults
                | addinfo
                | eval earliest=relative_time(info_max_time,"-1d@d")
              | eval latest=relative_time(info_max_time,"@d")
              | fields earliest latest
              | format]
            | table _time user

View solution in original post

bowesmana

@Ste The solution is to use addinfo, if you make the search based on the time picker, then use addinfo in the subsearch, it will generate info_max_time, which is the normalised end epoch time for the time picker, then you can use that in your subsearch instead, i.e.

index="_audit" [| makeresults
                | addinfo
                | eval earliest=relative_time(info_max_time,"-1d@d")
              | eval latest=relative_time(info_max_time,"@d")
              | fields earliest latest
              | format]
            | table _time user

Ste

@bowesmana Exactly what I was looking for, thank you.

yuanliu

I'm not sure how to interpret your question. Do you mean $t_time.latest$ comes from an input selector?( @isoutamo's link shows how to retrieve the value after a search is complete.) For this, one way to handle it is to test its value before format.

index="abc" search_name="def"
  [| makeresults
   | eval earliest=relative_time($t_time.latest$,"-1d@d")
   | eval latest=if("t_time.latest$" == "now", now(),
      relative_time($t_time.latest$,"@d"))
   | fields earliest latest
   | format]
| table _time zbpIdentifier

Ste

@yuanliu $t_time.latest$ comes from an input selector. As I wanted to have always the @d timestamp your proposal must be changed slightly.

Below is my untested proposal how a solution could look like based on a if evaluation:

index="abc" search_name="def"
  [| makeresults
   | eval earliest=relative_time($t_time.latest$,"-1d@d")
   | eval latest=if("t_time.latest$" == "now", relative_time(now(), "@d")
      relative_time($t_time.latest$,"@d"))
   | fields earliest latest
   | format]
| table _time zbpIdentifier

However, for me the @bowesmana proposal is better understandable.

isoutamo

Hi
This should show how it has done https://community.splunk.com/t5/Splunk-Search/Converting-d-for-eval-command/m-p/499983
r. Ismo

isoutamo

Here is one old example which probably helps you to understand how to use it?

<form version="1.1">
  <label>Time Picker Control</label>
  <init>
    <set token="earliest">-24h</set>
    <set token="latest">now</set>
  </init>
  <fieldset submitButton="false">
    <input type="time" token="time_range">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
      <change>
        <eval token="earliest">if(relative_time</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Simple timechart</title>
      <chart>
        <title>$ranges$</title>
        <search>
          <query>index=_audit
                  | timechart span=1h count
          </query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
    <panel>
      <title>Calculation panel that limits historical range</title>
      <table>
        <search>
          <done>
            <set token="earliest">$result.earliest$</set>
            <set token="latest">$result.info_max_time$</set>
            <set token="ranges">$result.ranges$</set>
          </done>
          <query>| makeresults
                  | addinfo
                  | eval min_time=now()-(30*86400)
                  | eval earliest=if(info_min_time &lt; min_time, min_time, info_min_time)
                  | eval initial_range="Time Picker range: ".strftime(info_min_time, "%F %T")." to ".strftime(info_max_time, "%F %T")
                  | eval limited_range="Search range ".strftime(earliest, "%F %T")." to ".strftime(info_max_time, "%F %T")
                  | eval ranges=mvappend(initial_range, limited_range)
                  | table ranges earliest info_min_time info_max_time
            </query>
          <earliest>$time_range.earliest$</earliest>
          <latest>$time_range.latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

I cannot remember who has present it and when, probably here or Slack?

How to detect "now" and turn it into a real date?

subsearch

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?