Splunk Search

How to parse a timestamp field from a user text input to use for the search time range?

brianlee12
Engager

Hi guys,

So I have an input field where the user inputs text in the format %y%m%d%H%M, for example 1607061700, which would be July 6th, 2016 5:00 PM. I would like to parse this input and set my search time range to be an hour before and 5 hours after this time. I've tried using subsearches and messing with the XML, but can't seem to get anything to work. Any help would be greatly appreciated. Thanks!

0 Karma
1 Solution

sundareshr
Legend

Try this

<input type="text">
      <change>
        <eval token="e">strptime($value$, "%y%m%d%H%M")-3600</eval>
        <eval token="l">strptime($value$, "%y%m%d%H%M")+18000</eval>
      </change>
<input>

In your search query, use earliest=$e$ latest=$l$

View solution in original post

0 Karma

sundareshr
Legend

Since the $value$ is not working, try this approach in your panel's search

index=xyz  [| gentimes start=-1 | eval earliest=relative_time(strptime($t$, "%y%m%d%H%M"), "-1h") | eval latest=relative_time(strptime($t$, "%y%m%d%H%M"), "+5h") | table earliest latest]
0 Karma

sundareshr
Legend

Try this

<input type="text">
      <change>
        <eval token="e">strptime($value$, "%y%m%d%H%M")-3600</eval>
        <eval token="l">strptime($value$, "%y%m%d%H%M")+18000</eval>
      </change>
<input>

In your search query, use earliest=$e$ latest=$l$

0 Karma

brianlee12
Engager

For some reason, the resulting e and l values are earliest=946710000 latest=946731600 which translates to (12/31/99 11:00:00.000 PM to 1/1/00 5:00:00.000 AM). Not sure why strptime isn't parsing this correctly.

0 Karma

sundareshr
Legend

Try this

<eval token="e">relative_time(strptime($value$, "%y%m%d%H%M"), "-1h")</eval>
0 Karma

brianlee12
Engager

Just did a little debugging. The issue is with the $value$ token which currently carries the value of null for some reason.

0 Karma

sundareshr
Legend

which splunk version?

0 Karma

brianlee12
Engager

Splunk 6.3 what about you?

0 Karma

sundareshr
Legend

I have version 6.4. Shouldn't make any difference. I tried using $t$ (token name for the text box) instead of $value$, and I get the incorrect date.

0 Karma

brianlee12
Engager

Yeah I'm really not sure why $value$ is giving me null. $t$ and $t.value$ also don't work for me.

0 Karma

sundareshr
Legend

Try using $t$ in the panel's search. See if you get the value there.

0 Karma

brianlee12
Engager

Fixed the problem. Using value with no $ around it worked for me.

0 Karma

brianlee12
Engager

Do you know any other way of doing this that might work?

0 Karma

brianlee12
Engager

using $t$ in the search query works for me

0 Karma

brianlee12
Engager

Still the same result. The issue is with strptime not parsing the input correctly. strptime($value$, "%y%m%d%H%M") produces 1/1/00 12:00:00.000 AM which I'm assuming is the default or starting time.

0 Karma

sundareshr
Legend

I just tried this and I get right results

    <form>
      <label>Test Dashboard</label>
      <fieldset submitButton="false">
        <input type="text" token="t">
          <label>field1</label>
          <default>1607061700</default>
          <change>
            <eval token="e">relative_time(strptime($value$, "%y%m%d%H%M"), "-1h")</eval>
            <eval token="l">strptime($value$, "%y%m%d%H%M")+18000</eval>
          </change>
        </input>
      </fieldset>
      <row>
        <panel>
          <table>
            <title>$e$ ($l$)</title>
            <search>
              <query>| gentimes start=-1 | eval x="$e$" | eval y="$l$" | eval z=strftime(x, "%y-%m-%d %H:%M") | eval a=strftime(y, "%y-%m-%d %H:%M") | table x y z a</query>
              <earliest>-15m</earliest>
              <latest>now</latest>
            </search>
          </table>
        </panel>
      </row>
    </form>
0 Karma

brianlee12
Engager

Copy and pasted that into my dashboard and didn't work for me. Not sure why it could be something to do with splunk settings.alt text

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...