Re: Find records based on input from user date.

agupta13 · ‎04-28-2023

I have set of records where the data has time column in it.

Eg:

Here I will have an input from user where user will enter the date in input box in any format (yyyy/mm/dd)
I want to find all records that are greater than the time entered by user.

yuanliu · ‎04-28-2023

The problem is the "any" in any format. Does this mean the user choses any format they wish, or does this mean that you dictate any format for your user? If it is a free text input, while it is possible to parse multiple common date format, it is impossible to be exhaustive.

If you can dictate, say "yyyy/mm/dd" as you exemplified, it will be simple. Say, your input token is $date_tok$.

| where _time > strptime($date_tok$, "%Y/%m/%d")

PickleRick · ‎04-29-2023

+1 on the date format - the simplest argument against "any" format is eu vs. us date - does 1/3/23 mean Jan 3rd or March 1st?

Also if you can (and in your case the timestamp seems to be contained in the _time field) you should filter by time as early as possible (time is the most efficient filter) so why not just use time picker to limit your search range?

How to find records based on input from user date?

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation