Splunk Search

How to pass time token to the custom field based on search

Loves-to-Learn Lots


I have onboarded data via DBConnect through Rising Column for which we have configured the Risinig Column value as RS_LAST_MAINTENANCE_TIMESTAMP which is the default Time field. But in the dashboard we have filtering the month wise apps count based on APPLICATION_CRT_DT which has no timestamp. Issue is if we search data for last 7 days, Jan month data is also populating as that particular app is created on Jan month and updating values in last 7 days.

so, written "where" condition like below which is not working in all cases(working only when searching since "date",applying epoc time for the below where condition and getting accurate results, but when searching for last 7 days or 24 hrs or all time, that parameter is passing as -7d@d and getting error as invalid). Kindly help on this

<input type="time" token="datefield"







<query>index=* source=tablename
|eval Total_Apps=if(match('Type',"NTB"),"1","0")

|eval Date=strptime(APPLICATION_CRT_DT,"%Y-%m-%d %H:%M:%S")

|where Date&gt;=$datefield.earliest$ OR Date&tl;=$datefield.latest$
|eval Mon-Year=strftime(strptime(APPLICATION_CRT_DT,"%Y-%m-%d %H:%M:%S"),%b-%Y)

|stats sum(Total_Apps) as "Total Apps" by Mon-Year

Labels (1)
0 Karma


Try something like this

|where Date&gt;=relative_time(now(),$datefield.earliest$) OR Date&lt;=relative_time(now(),$datefield.latest$)
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...