Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I want to replace hard coded text "Today" by current system date in splunk report

avikc100
Path Finder
‎04-24-2025 01:09 PM

I want to replace hard coded text "Today" by current system date in splunk report. Please help if it is possible.
Please see the attachment.

Labels (1)
Labels
Preview file
325 KB
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎04-24-2025 08:44 PM

This is confusing: how do you get those "hard coded" text in the first place? In Splunk, the opposite is harder, rendering system date into English word strings.

But if you got those strings in some dataset, you sure can "translate" them back.  Suppose your hard coded input is called hardcoded, this search will turn the string into systemdate:

| eval decrement = case(
  hardcoded == "Today", 0,
  hardcoded == "Yesterday", 1,
  true(), replace(hardcoded, "Last (\d+).+", "\1")
  )
| eval systemdate = strftime(relative_time(now(), "-" . decrement . "day"), "%F")
decrementhardcodedsystemdate
0Today2025-04-24
1Yesterday2025-04-23
2Last 2nd Day2025-04-22
3Last 3rd Day2025-04-21
4Last 4th Day2025-04-20
5Last 5th Day2025-04-19

Here is a full emulation for you to play with and compare with real data.

| makeresults format=csv data="hardcoded
Today
Yesterday
Last 2nd Day
Last 3rd Day
Last 4th Day
Last 5th Day"
| eval decrement = case(
  hardcoded == "Today", 0,
  hardcoded == "Yesterday", 1,
  true(), replace(hardcoded, "Last (\d+).+", "\1")
  )
| eval systemdate = strftime(relative_time(now(), "-" . decrement . "day"), "%F")
0 Karma
Reply

avikc100
Path Finder
‎05-03-2025 06:07 AM

sorry for confusion!

i want system date here in this test area in the dashboard.

avikc100_0-1746277523838.png

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎05-03-2025 09:20 AM

Then, where does the dashboard get those strings? In other words, what is the code in that dashboard that prints those strings?

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎05-03-2025 07:04 AM

Hi @avikc100 

Were you able to try my previous example (see below)? If there is an issue with this i'd be happy to try and resolve for you.

Thanks

@livehybrid wrote:

Hi @avikc100 

You can create a search that calculates the relevant dates which set tokens and then use the tokens:

  <search id="days">
    <query>| makeresults 
| eval dayMinus0=strftime(now(), "%d/%m/%Y") 
| eval dayMinus1=strftime(now()-86400, "%d/%m/%Y") 
| eval dayMinus2=strftime(now()-(86400*2), "%d/%m/%Y") 
| eval dayMinus3=strftime(now()-(86400*3), "%d/%m/%Y") 
| eval dayMinus4=strftime(now()-(86400*4), "%d/%m/%Y") 
| eval dayMinus5=strftime(now()-(86400*5), "%d/%m/%Y")</query>
    <done>
      <set token="dayMinus0">$result.dayMinus0$</set>
      <set token="dayMinus1">$result.dayMinus1$</set>
      <set token="dayMinus2">$result.dayMinus2$</set>
      <set token="dayMinus3">$result.dayMinus3$</set>
      <set token="dayMinus4">$result.dayMinus4$</set>
      <set token="dayMinus5">$result.dayMinus5$</set>
    </done>
  </search>

Then use $dayMinusN$ for each Title - where N is the number of days, like this:

livehybrid_0-1745526323234.png

 

Below is the full XML example of that dashboard above for you to play with if it helps:

<dashboard version="1.1" theme="light">
  <label>SplunkAnswers1</label>
  <search id="days">
    <query>| makeresults 
| eval dayMinus0=strftime(now(), "%d/%m/%Y") 
| eval dayMinus1=strftime(now()-86400, "%d/%m/%Y") 
| eval dayMinus2=strftime(now()-(86400*2), "%d/%m/%Y") 
| eval dayMinus3=strftime(now()-(86400*3), "%d/%m/%Y") 
| eval dayMinus4=strftime(now()-(86400*4), "%d/%m/%Y") 
| eval dayMinus5=strftime(now()-(86400*5), "%d/%m/%Y")</query>
    <done>
      <set token="dayMinus0">$result.dayMinus0$</set>
      <set token="dayMinus1">$result.dayMinus1$</set>
      <set token="dayMinus2">$result.dayMinus2$</set>
      <set token="dayMinus3">$result.dayMinus3$</set>
      <set token="dayMinus4">$result.dayMinus4$</set>
      <set token="dayMinus5">$result.dayMinus5$</set>
    </done>
  </search>
  <search id="baseTest">
    <query>|tstats count where index=_internal by _time, host span=1d 
| eval daysAgo=floor((now()-_time)/86400)</query>
    <earliest>-7d@d</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <row>
    <panel>
      <table>
        <title>$dayMinus0$</title>
        <search base="baseTest">
          <query>| where daysAgo=0 | table host count</query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>$dayMinus1$</title>
        <search base="baseTest">
          <query>| where daysAgo=1 | table host count</query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>$dayMinus2$</title>
        <search base="baseTest">
          <query>| where daysAgo=2 | table host count</query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>$dayMinus3$</title>
        <search base="baseTest">
          <query>| where daysAgo=3 | table host count</query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>$dayMinus4$</title>
        <search base="baseTest">
          <query>| where daysAgo=4 | table host count</query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>$dayMinus5$</title>
        <search base="baseTest">
          <query>| where daysAgo=5 | table host count</query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-03-2025 06:28 AM

Please provide the source code for your dashboard in a code block using the </> button to insert the text.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-24-2025 01:25 PM

Hi @avikc100 

You can create a search that calculates the relevant dates which set tokens and then use the tokens:

  <search id="days">
    <query>| makeresults 
| eval dayMinus0=strftime(now(), "%d/%m/%Y") 
| eval dayMinus1=strftime(now()-86400, "%d/%m/%Y") 
| eval dayMinus2=strftime(now()-(86400*2), "%d/%m/%Y") 
| eval dayMinus3=strftime(now()-(86400*3), "%d/%m/%Y") 
| eval dayMinus4=strftime(now()-(86400*4), "%d/%m/%Y") 
| eval dayMinus5=strftime(now()-(86400*5), "%d/%m/%Y")</query>
    <done>
      <set token="dayMinus0">$result.dayMinus0$</set>
      <set token="dayMinus1">$result.dayMinus1$</set>
      <set token="dayMinus2">$result.dayMinus2$</set>
      <set token="dayMinus3">$result.dayMinus3$</set>
      <set token="dayMinus4">$result.dayMinus4$</set>
      <set token="dayMinus5">$result.dayMinus5$</set>
    </done>
  </search>

Then use $dayMinusN$ for each Title - where N is the number of days, like this:

livehybrid_0-1745526323234.png

 

Below is the full XML example of that dashboard above for you to play with if it helps:

<dashboard version="1.1" theme="light">
  <label>SplunkAnswers1</label>
  <search id="days">
    <query>| makeresults 
| eval dayMinus0=strftime(now(), "%d/%m/%Y") 
| eval dayMinus1=strftime(now()-86400, "%d/%m/%Y") 
| eval dayMinus2=strftime(now()-(86400*2), "%d/%m/%Y") 
| eval dayMinus3=strftime(now()-(86400*3), "%d/%m/%Y") 
| eval dayMinus4=strftime(now()-(86400*4), "%d/%m/%Y") 
| eval dayMinus5=strftime(now()-(86400*5), "%d/%m/%Y")</query>
    <done>
      <set token="dayMinus0">$result.dayMinus0$</set>
      <set token="dayMinus1">$result.dayMinus1$</set>
      <set token="dayMinus2">$result.dayMinus2$</set>
      <set token="dayMinus3">$result.dayMinus3$</set>
      <set token="dayMinus4">$result.dayMinus4$</set>
      <set token="dayMinus5">$result.dayMinus5$</set>
    </done>
  </search>
  <search id="baseTest">
    <query>|tstats count where index=_internal by _time, host span=1d 
| eval daysAgo=floor((now()-_time)/86400)</query>
    <earliest>-7d@d</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <row>
    <panel>
      <table>
        <title>$dayMinus0$</title>
        <search base="baseTest">
          <query>| where daysAgo=0 | table host count</query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>$dayMinus1$</title>
        <search base="baseTest">
          <query>| where daysAgo=1 | table host count</query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>$dayMinus2$</title>
        <search base="baseTest">
          <query>| where daysAgo=2 | table host count</query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>$dayMinus3$</title>
        <search base="baseTest">
          <query>| where daysAgo=3 | table host count</query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>$dayMinus4$</title>
        <search base="baseTest">
          <query>| where daysAgo=4 | table host count</query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>$dayMinus5$</title>
        <search base="baseTest">
          <query>| where daysAgo=5 | table host count</query>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...

Index This | How many sevens are there between 1 and 100?

August 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...