- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to parse a timestamp field from a user text in...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi guys,
So I have an input field where the user inputs text in the format %y%m%d%H%M, for example 1607061700, which would be July 6th, 2016 5:00 PM. I would like to parse this input and set my search time range to be an hour before and 5 hours after this time. I've tried using subsearches and messing with the XML, but can't seem to get anything to work. Any help would be greatly appreciated. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
<input type="text">
<change>
<eval token="e">strptime($value$, "%y%m%d%H%M")-3600</eval>
<eval token="l">strptime($value$, "%y%m%d%H%M")+18000</eval>
</change>
<input>
In your search query, use earliest=$e$ latest=$l$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since the $value$ is not working, try this approach in your panel's search
index=xyz [| gentimes start=-1 | eval earliest=relative_time(strptime($t$, "%y%m%d%H%M"), "-1h") | eval latest=relative_time(strptime($t$, "%y%m%d%H%M"), "+5h") | table earliest latest]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
<input type="text">
<change>
<eval token="e">strptime($value$, "%y%m%d%H%M")-3600</eval>
<eval token="l">strptime($value$, "%y%m%d%H%M")+18000</eval>
</change>
<input>
In your search query, use earliest=$e$ latest=$l$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For some reason, the resulting e and l values are earliest=946710000 latest=946731600 which translates to (12/31/99 11:00:00.000 PM to 1/1/00 5:00:00.000 AM). Not sure why strptime isn't parsing this correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
<eval token="e">relative_time(strptime($value$, "%y%m%d%H%M"), "-1h")</eval>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just did a little debugging. The issue is with the $value$ token which currently carries the value of null for some reason.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
which splunk version?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk 6.3 what about you?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have version 6.4. Shouldn't make any difference. I tried using $t$ (token name for the text box) instead of $value$, and I get the incorrect date.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah I'm really not sure why $value$ is giving me null. $t$ and $t.value$ also don't work for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using $t$ in the panel's search. See if you get the value there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fixed the problem. Using value with no $ around it worked for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you know any other way of doing this that might work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
using $t$ in the search query works for me
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still the same result. The issue is with strptime not parsing the input correctly. strptime($value$, "%y%m%d%H%M") produces 1/1/00 12:00:00.000 AM which I'm assuming is the default or starting time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just tried this and I get right results
<form>
<label>Test Dashboard</label>
<fieldset submitButton="false">
<input type="text" token="t">
<label>field1</label>
<default>1607061700</default>
<change>
<eval token="e">relative_time(strptime($value$, "%y%m%d%H%M"), "-1h")</eval>
<eval token="l">strptime($value$, "%y%m%d%H%M")+18000</eval>
</change>
</input>
</fieldset>
<row>
<panel>
<table>
<title>$e$ ($l$)</title>
<search>
<query>| gentimes start=-1 | eval x="$e$" | eval y="$l$" | eval z=strftime(x, "%y-%m-%d %H:%M") | eval a=strftime(y, "%y-%m-%d %H:%M") | table x y z a</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Copy and pasted that into my dashboard and didn't work for me. Not sure why it could be something to do with splunk settings.
Video | Welcome Back to Smartness, Pedro
Detector Best Practices: Static Thresholds
Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...
