Solved: Re: Howto use _time to compare with field with tim...

krusovice · ‎04-27-2019

Hello,

I've a field with date/time in it. The field name is system_created_on=2019-04-26 09:38:24.

I have a time picker and I would like to use the date selected to compare with a field with date/time. For example, when user select 4/26/2019, I need to have the query to match with"2019-04-26" from system_created_on field. How can I achieve this?

Thanks.

woodcock · ‎04-27-2019

Like this:

index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo eatliest=0 latest=now
| eval system_created_on=strptime(system_created_on, "%Y-%m-%d %H:%M:%S")
| addinfo
| where (system_created_on >= info_min_time AND system_created_on <= info_max_time)
| fieldformat system_created_on=strftime(system_created_on, "%Y-%m-%d %H:%M:%S")

View solution in original post

woodcock · ‎04-27-2019

Like this:

index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo eatliest=0 latest=now
| eval system_created_on=strptime(system_created_on, "%Y-%m-%d %H:%M:%S")
| addinfo
| where (system_created_on >= info_min_time AND system_created_on <= info_max_time)
| fieldformat system_created_on=strftime(system_created_on, "%Y-%m-%d %H:%M:%S")

krusovice · ‎04-28-2019

Wow thanks, it works!

Howto use _time to compare with field with time

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes