Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use date-time field from event as span for search in Dashboard

tkwaller_2
Communicator
‎04-04-2018 08:01 AM

Hello

I have a field in my events that is named info_date_resReviewed in format "2017-09-24 00:00:00" and I'd like to use it as search delimiters. So really you could enter an earliest/latest "info_date_resReviewed" and get results based on the span of this field.

So
earliest ="info_date_resReviewed" and latest="info_date_resReviewed"

I was thinking dropdowns with available "info_date_resReviewed" and then using the tokens but havent gotten it to work. Any suggestions?

Thanks!

0 Karma
Reply

adonio
Ultra Champion
‎04-04-2018 08:18 AM

hello there,
splunk can use this format: "10/5/2016:20:00:00" for earliest= and latest=
first, modify your time to match this format using strptime or convert or other method.
than you can create a form input for earliest and latest, have the form inputs for latest dynamic and present only values greater than the value you chose for earliest to avoid conflict
create a dashboard with search/es, panels (or base search) that starts with earliest="$earliest$" latest="$latest$" and add your queries.

hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...