Hi @sarit_s,
the rest command extract the data, then you can filter this data using the fields containing time and data as all the other fields.
Ciao.
Giuseppe
yes, I have this field
but since with rest command the time Peaker is not working i need to get it from the query
something like earliest and latest based on specific field
Hi @sarit_s,
you cannot use the time picker in the usual way: you have to pass the tokens to the search creating the filters, e.g. if the Time Picker token is called "Time" and the fields containing date (09/28/2022) and time (11:11.22) are "date" and "time"
| rest .....
| eval timestamp=strptime(date.time,"%m/%d/%Y%H:%M:%S")
| search timestamp>$Time.earliest$ timestamp<$Time.latest$
Ciao.
Giuseppe
thanks
how can i set the tokens ?
this is my query :
|rest /servicesNS/admin/search/alerts/fired_alerts/-
|fields eai:acl.owner savedsearch_name triggered_alert_count trigger_time_rendered
| join savedsearch_name [
| rest splunk_server=local count=0 /services/saved/searches
| rename title as savedsearch_name
| lookup mailingList.csv "action.email.to" OUTPUT teamName
| table action.email.to savedsearch_name teamName]
trigger_time_rendere looks like : 2022-09-28 09:20:31 UTC
when inserting this part :
| eval timestamp=strptime(date.time,"%Y/%m/%d%H:%M:%S")
| search timestamp>$trigger_time_rendere.earliest$ timestamp<$trigger_time_rendere.latest$
im getting no result at all
Hi @sarit_s,
to compare timestamps, you have to convert all of them in epochtime:
| eval
timestamp=strptime(date.time,"%Y/%m/%d%H:%M:%S"),
trigger_time_earliest=strptime($trigger_time_rendere.earliest$,"%Y/%m/%d%H:%M:%S"),
trigger_time_latest=strptime($trigger_time_rendere.latest$,"%Y/%m/%d%H:%M:%S")
| search timestamp>trigger_time_earliest timestamp<trigger_time_latest
Ciao.
Giuseppe
still no results 😞
Hi @sarit_s,
when I said "date.time" I meant to create a timestamp with the two fields that you said to have, but what are the field names of date and time that you said to have in the rest outputs?
You have to put them in the eval command to create the timestamp field to use in the filter.
Ciao.
Giuseppe
i have 1 field with date and time
trigger_time_rendered
|rest /servicesNS/admin/search/alerts/fired_alerts/-
|fields eai:acl.owner savedsearch_name triggered_alert_count trigger_time_rendered
| eval
timestamp=strptime(trigger_time_renderede,"%Y/%m/%d%H:%M:%S"),
trigger_time_earliest=strptime($trigger_time_rendered.earliest$,"%Y/%m/%d%H:%M:%S"),
trigger_time_latest=strptime($trigger_time_rendered.latest$,"%Y/%m/%d%H:%M:%S")
| search timestamp>trigger_time_earliest timestamp<trigger_time_latest
| join savedsearch_name [
| rest splunk_server=local count=0 /services/saved/searches
| rename title as savedsearch_name
| lookup mailingList.csv "action.email.to" OUTPUT teamName
| table action.email.to savedsearch_name teamName]
the fact that it contains also the TZ related ? maybe it should be also part of the convert ?
Hi @sarit_s,
please try this:
| eval
trigger_time_rendere=strptime(trigger_time_rendere,"%Y/%m/%d%H:%M:%S"),
| search trigger_time_rendere>$Time.earliest$ trigger_time_rendere<$Time.latest$
if it doesn't run, please tell me the result of:
| eval
trigger_time_rendere=strptime(trigger_time_rendere,"%Y/%m/%d%H:%M:%S"),
| table trigger_time_rendere $Time.earliest$ $Time.latest$
Ciao.
Giuseppe
no results for both
what is it 'Time' ? I don't have such field
ok.. so ive added the token and still nothing
|rest /servicesNS/admin/search/alerts/fired_alerts/-
|fields eai:acl.owner savedsearch_name triggered_alert_count trigger_time_rendered
| eval
timestamp=strptime(trigger_time_rendered,"%Y/%m/%d%H:%M:%S"),
trigger_time_earliest=strptime($last_15_mins.earliest$,"%Y/%m/%d%H:%M:%S"),
trigger_time_latest=strptime($last_15_mins.latest$,"%Y/%m/%d%H:%M:%S")
| search timestamp>trigger_time_earliest timestamp<trigger_time_latest
| join savedsearch_name [
| rest splunk_server=local count=0 /services/saved/searches
| rename title as savedsearch_name
| lookup mailingList.csv "action.email.to" OUTPUT teamName
| table action.email.to savedsearch_name teamName]
Hi @sarit_s,
if the forma of trigger_time_rendere is like : 2022-09-28 09:20:31 UTC
the eval isn't correct, please replace this:
| rest /servicesNS/admin/search/alerts/fired_alerts/-
| fields eai:acl.owner savedsearch_name triggered_alert_count trigger_time_rendered
| eval
timestamp=strptime(trigger_time_rendered,"%Y-%m-%d %H:%M:%S %Z"),
trigger_time_earliest=strptime($last_15_mins.earliest$,"%Y/%m/%d%H:%M:%S"),
trigger_time_latest=strptime($last_15_mins.latest$,"%Y/%m/%d%H:%M:%S")
| search timestamp>trigger_time_earliest timestamp<trigger_time_latest
| join savedsearch_name [
| rest splunk_server=local count=0 /services/saved/searches
| rename title as savedsearch_name
| lookup mailingList.csv "action.email.to" OUTPUT teamName
| table action.email.to savedsearch_name teamName]
Ciao.
Giuseppe
still nothing 😞
Hi @sarit_s,
please execute this and tell me the results:
| rest /servicesNS/admin/search/alerts/fired_alerts/-
| fields eai:acl.owner savedsearch_name triggered_alert_count trigger_time_rendered
| eval
timestamp=strptime(trigger_time_rendered,"%Y-%m-%d %H:%M:%S %Z"),
trigger_time_earliest=strptime($last_15_mins.earliest$,"%Y/%m/%d%H:%M:%S"),
trigger_time_latest=strptime($last_15_mins.latest$,"%Y/%m/%d%H:%M:%S")
| table timestamp trigger_time_rendered trigger_time_earliest $last_15_mins.earliest$ trigger_time_latest $last_15_mins.latest$
check if you have all the values and if the format is correct.
Ciao.
Giuseppe
only timestamp and
trigger_time_rendered
has values, all the rest are empty
maybe im getting the wrong token, i took it from
settings -->user interface » Time ranges
Hi @sarit_s,
no, you have to take the token in your dashboard, in the Time Picker.
The token name is setted by you.
Ciao.
Giuseppe
I don't have any dashboard, it is a simple query