Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to parse a timestamp field from a user text input to use for the search time range?

brianlee12
Engager
‎07-08-2016 10:52 AM

Hi guys,

So I have an input field where the user inputs text in the format %y%m%d%H%M, for example 1607061700, which would be July 6th, 2016 5:00 PM. I would like to parse this input and set my search time range to be an hour before and 5 hours after this time. I've tried using subsearches and messing with the XML, but can't seem to get anything to work. Any help would be greatly appreciated. Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-08-2016 11:26 AM

Try this

<input type="text">
      <change>
        <eval token="e">strptime($value$, "%y%m%d%H%M")-3600</eval>
        <eval token="l">strptime($value$, "%y%m%d%H%M")+18000</eval>
      </change>
<input>

In your search query, use earliest=$e$ latest=$l$

View solution in original post

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-08-2016 04:08 PM

Since the $value$ is not working, try this approach in your panel's search

index=xyz  [| gentimes start=-1 | eval earliest=relative_time(strptime($t$, "%y%m%d%H%M"), "-1h") | eval latest=relative_time(strptime($t$, "%y%m%d%H%M"), "+5h") | table earliest latest]
0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-08-2016 11:26 AM

Try this

<input type="text">
      <change>
        <eval token="e">strptime($value$, "%y%m%d%H%M")-3600</eval>
        <eval token="l">strptime($value$, "%y%m%d%H%M")+18000</eval>
      </change>
<input>

In your search query, use earliest=$e$ latest=$l$

0 Karma
Reply
Solved! Jump to solution

brianlee12
Engager
‎07-08-2016 02:28 PM

For some reason, the resulting e and l values are earliest=946710000 latest=946731600 which translates to (12/31/99 11:00:00.000 PM to 1/1/00 5:00:00.000 AM). Not sure why strptime isn't parsing this correctly.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-08-2016 02:31 PM

Try this

<eval token="e">relative_time(strptime($value$, "%y%m%d%H%M"), "-1h")</eval>
0 Karma
Reply
Solved! Jump to solution

brianlee12
Engager
‎07-08-2016 03:23 PM

Just did a little debugging. The issue is with the $value$ token which currently carries the value of null for some reason.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-08-2016 03:37 PM

which splunk version?

0 Karma
Reply
Solved! Jump to solution

brianlee12
Engager
‎07-08-2016 03:38 PM

Splunk 6.3 what about you?

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-08-2016 03:50 PM

I have version 6.4. Shouldn't make any difference. I tried using $t$ (token name for the text box) instead of $value$, and I get the incorrect date.

0 Karma
Reply
Solved! Jump to solution

brianlee12
Engager
‎07-08-2016 03:54 PM

Yeah I'm really not sure why $value$ is giving me null. $t$ and $t.value$ also don't work for me.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-08-2016 03:58 PM

Try using $t$ in the panel's search. See if you get the value there.

0 Karma
Reply
Solved! Jump to solution

brianlee12
Engager
‎07-08-2016 04:08 PM

Fixed the problem. Using value with no $ around it worked for me.

0 Karma
Reply
Solved! Jump to solution

brianlee12
Engager
‎07-08-2016 04:02 PM

Do you know any other way of doing this that might work?

0 Karma
Reply
Solved! Jump to solution

brianlee12
Engager
‎07-08-2016 04:00 PM

using $t$ in the search query works for me

0 Karma
Reply
Solved! Jump to solution

brianlee12
Engager
‎07-08-2016 03:12 PM

Still the same result. The issue is with strptime not parsing the input correctly. strptime($value$, "%y%m%d%H%M") produces 1/1/00 12:00:00.000 AM which I'm assuming is the default or starting time.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-08-2016 03:27 PM

I just tried this and I get right results

    <form>
      <label>Test Dashboard</label>
      <fieldset submitButton="false">
        <input type="text" token="t">
          <label>field1</label>
          <default>1607061700</default>
          <change>
            <eval token="e">relative_time(strptime($value$, "%y%m%d%H%M"), "-1h")</eval>
            <eval token="l">strptime($value$, "%y%m%d%H%M")+18000</eval>
          </change>
        </input>
      </fieldset>
      <row>
        <panel>
          <table>
            <title>$e$ ($l$)</title>
            <search>
              <query>| gentimes start=-1 | eval x="$e$" | eval y="$l$" | eval z=strftime(x, "%y-%m-%d %H:%M") | eval a=strftime(y, "%y-%m-%d %H:%M") | table x y z a</query>
              <earliest>-15m</earliest>
              <latest>now</latest>
            </search>
          </table>
        </panel>
      </row>
    </form>
0 Karma
Reply
Solved! Jump to solution

brianlee12
Engager
‎07-08-2016 03:35 PM

Copy and pasted that into my dashboard and didn't work for me. Not sure why it could be something to do with splunk settings.alt text

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...