Splunk Search

How to filter a dashboard search based on a date field that is not the default _time field?



I am having trouble setting up a dashboard to filter based on a date field which isn't the default _time field.

{{search....}} | eval _time = strptime(CreatedDate, "%Y-%m-%d %H:%M:%S.%3N") | table _time CreatedDate DER_LastUpdated | sort CreatedDate asc

I've tried to use eval to create a new field which would act as the default time dimension for the table, which looks like it works as the output table correctly shows _time value as equal to the CreatedDate value. The problem, however, is when I place this search on a dashboard with a time input that continues to filter based on the DER_LastUpdated field rather than the new _time field. My question becomes, how can I filter tables, etc. on a dashboard on time values which aren't the timestamp values stipulated when creating a dbinput?

0 Karma


I had the same issue.

This blog post by Splunk helped me: I can’t make my time range picker pick my time field.

0 Karma


I don't think you can do what you want this way. When you edit _time using eval - the search is already complete. The time range picker only applies to the first search in the pipeline.

AFAIK, the only way to do what you want is:

yoursearchhere earliest=-TTT 
| eval cDate = strptime(CreatedDate, "%Y-%m-%d %H:%M:%S.%3N") 
| where cDate >= realEarliestTime AND cDate <= realLatestTime

In the initial search, you must search across a timerange that is guaranteed to pick up everything that you might want - so "TTT" may represent a long time.

I wasn't sure where/how you are getting the start and end times that you want to use, so I just used "realEarliestTime" and "realLatestTime" for the example


Thanks very much, Iguinn!

I understand the search function a bit better thanks to your post. I've followed your steps (I think) and have am now met with a new error in the where command, specifically: "Error in 'where' command: the expression is malformed. A comparison operator is missing"

I think the where command is pretty simply stating the eval field cDate needs to exist between two token fields which are used in the dashboard input, but can you spot the issue with the below xml?

<input type="time" token="_time_tok" searchWhenChanged="true">

      <query>index=... sourcetype=... earliest=-6mon@ | eval cDate = strftime(strptime(CreatedDate, "%Y-%m-d %H:%M:%S.%3N"), "%Y-%m-%d %H:%M:%S.%3N") | where cDate &gt;= $_time_tok.earliest$ AND cDate &lt;= $_time_tok.latest$
0 Karma


Yes, tokens (like $_time_tok.earliest$) are replaced with simple substitution. The tokens are "-1d", etc. not actual timestamps.

So this should work:

<query>index=... sourcetype=... earliest=-6mon@ 
| eval cDate =strptime(CreatedDate, "%Y-%m-d %H:%M:%S.%3N")
| eval earliest = relative_time(now(),"$_time_tok.earliest$")
| eval latest=  relative_time(now(),"$_time_tok.latest$")
| where cDate &gt;= earliest AND cDate &lt;= latest
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti &#x1f389; —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...