Splunk Search

Reference Time on Dashboard Load (and adjust to time change)

mrstrozy
Path Finder

Hi,

I was wondering how I can reference the time picker on load for a dashboard and make sure that it's the right format. I am currently using two separate time pickers to reference two time periods for a table. The idea is to compare two different time periods and see the differences. What I would like to do is have the human readable date as the column name so if I had two different columns x and y, it would look like x (10-05-2018 to 10-20-2018) | y (11-05-2018 to 11-20-2018) . The current issue I'm running into is the fact that the time can be in a couple different formats, either epoch time or the relative notation (-1d@d, now()).

I'm probably just lacking knowledge about something but I'd love it to set a token that is human readable right on dashboard load and then update that human-readable token to be used in the queries everytime the user changes the timepicker.

Any help would be much appreciated.

Thanks!

0 Karma
1 Solution

mrstrozy
Path Finder

I believe I figured this out so here it is for anyone who is trying to get either the epoch time or the human readable.

For the epoch time you can do this if your time token is labeled "time_input":

time = case("$time_input.earliest$" == "now", now(),
isnull(relative_time(now(), "$time_input.earliest$")), "$time_input.earliest$",
true(), relative_time(now(), "$time_input.earliest$"))

If you want to get the human readable format of this you can just wrap the case function return in a strftime() command like so:

time = case("$time_input.earliest$" == "now", strftime(now(), "%Y-%m-%h"),
isnull(relative_time(now(), "$time_input.earliest$")), "$time_input.earliest$",
true(), strftime(relative_time(now(), "$time_input.earliest$"), "%Y-%m-%h"))

I know this is a little confusing but it works! Also, if you are using it please be careful/aware of the quotes. If you do not use them how they are used here you might run into weird issues/errors with the eval command trying to read something like "-@d".

View solution in original post

0 Karma

mrstrozy
Path Finder

I believe I figured this out so here it is for anyone who is trying to get either the epoch time or the human readable.

For the epoch time you can do this if your time token is labeled "time_input":

time = case("$time_input.earliest$" == "now", now(),
isnull(relative_time(now(), "$time_input.earliest$")), "$time_input.earliest$",
true(), relative_time(now(), "$time_input.earliest$"))

If you want to get the human readable format of this you can just wrap the case function return in a strftime() command like so:

time = case("$time_input.earliest$" == "now", strftime(now(), "%Y-%m-%h"),
isnull(relative_time(now(), "$time_input.earliest$")), "$time_input.earliest$",
true(), strftime(relative_time(now(), "$time_input.earliest$"), "%Y-%m-%h"))

I know this is a little confusing but it works! Also, if you are using it please be careful/aware of the quotes. If you do not use them how they are used here you might run into weird issues/errors with the eval command trying to read something like "-@d".

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...