I am trying queries in Splunk and learning it. I have a dashboard where there are two text inputs, From and To, where a user will enter time like this:
And I am passing it to earliestTime and latestTime like this:
Now, instead of
T, I want a blank space. How can I do this?
I tried to use eval replace function, but that is not working.
[I don't want to use time-picker of Splunk.]
I think I am not precise in my question. Instead of T in the time entered, I want a blank space so that it will be more convenient for the user. But when I do that, it is not accepting that time. Besides, I used strptime and strftime with eval, but I am not getting how can I pass it in ealiestTime and latestTime.
You can set up an eval-based macro like this:
[my_strptime(1)] args = time definition = strptime("$time$", "%F %T") iseval = 1
Then drop the earliest and latest elements from your search element and instead specify the time range directly in the search:
index=foo earliest=`my_strptime($from$)` latest=`my_strptime($to$)`
I tried this few days back and did't work. I was wondering what went wrong., it seems my macro was private. I worked perfect. Thanks a lot for the help!