Splunk Search

Time Conversion Issue with now(), 0, last 24 hours, since, etc.

genesiusj
Builder

Hello,
I'm having a time conversion issue with any earliest or latest time that is not in epoch.
Here is my XML code to convert time from epoch to the date/time format I need.

<eval token="startTime">strftime($form.Selected_Time_Range.earliest$,"%c")</eval>
<eval token="endTime">strftime($form.Selected_Time_Range.latest$,"%c")</eval>

I'm figuring to use a case statement in an eval (unless there is a better way) to check if the earliest or latest is not in epoch time. However, I am having difficulty figuring out the code for a case within an eval within XML.

In pseudo code.
If earliest = 0 OR earliest contains letters, than if 0 "Tue Dec 31, 1969 -- 7:00 PM", than if 0d@d, etc..... ?????
else run my conversion code
If latest = now() OR latest contains letters, than if now() ?????, than if 0d@d, etc..... ?????
else run my conversion code

My only other options are to train the users to NOT enter anything other than an actual date/time range. Or, force that by limiting the options in the time picker. Neither of these is appealing.

I will continue to check the Answers for an.....answer.

Thanks and God bless,
Genesius

0 Karma

genesiusj
Builder

Don't know how to add answer that is not from me, but from another Splunker on Answers. But I found this, which answers my requirements perfectly.

@harshpatel

How to display the exact date from time modifiers?

Thanks and God bless,
Genesius

0 Karma

woodcock
Esteemed Legend

Like this:

<eval token="startTime">case(
($form.Selected_Time_Range.earliest$==0 OR match($form.Selected_Time_Range.earliest$, "a-Z"), "Tue Dec 31, 1969 -- 7:00 PM",
...
true(), strftime($form.Selected_Time_Range.earliest$, "%c"))
)</eval>
<eval token="endTime">case(
$form.Selected_Time_Range.latest$=="now", "whatever",
...
true(), strftime($form.Selected_Time_Range.latest$, "%c"))
)</eval>

genesiusj
Builder

@woodcock
What do the three dots (...) on lines 3 and 8 represent?
Apologies if it is obvious, but I'm missing it. 🙂

Thanks and God bless,
Genesius

0 Karma

woodcock
Esteemed Legend

Other options in the case statement, if you need them.

0 Karma

genesiusj
Builder

@woodcock
Where do these eval tags go?
I tried this

<fieldset submitButton="false">
   <input type="time" token="tok_time" searchWhenChanged="true">
      <label></label>
         <default>
            <earliest>-24h@h</earliest>
             <latest>now</latest>
             <eval token="startTime">case(
                                    ($form.Selected_Time_Range.earliest$==0 OR 
                                     match($form.tok_time.earliest$, "a-Z"),
                                     "Tue Dec 31, 1969 -- 7:00 PM",
                                     true(),
                                     strftime($form.tok_time.earliest$, "%c")
                                     )  )
              </eval>
              <eval token="endTime">case(
                                     $form.tok_time.latest$=="now",
                                     "whatever",
                                     true(),
                                     strftime($form.tok_time.latest$, "%c")
                                     ) )
             </eval>
           </default>     
         </input>
       </fieldset>
......
<row>
  <panel>
    <search>
      <query>index=$tok_index$ AND FAILCODE=N
......
| eval receiptDateStart=strftime("$startTime$", "%m/%d/%Y")
......
| eval receiptDateEnd=strftime($endTime$-86400, "%m/%d/%Y") 
......
      </query>
    </search>
  </panel>
</row>

But no luck. Search is waiting for input...

Thanks and God bless,
Genesius

0 Karma

niketn
Legend

@genesiusj you have missed the <change> event handler for time input which was supposed to handle. The <eval> tag should not be within <default> tag for input which is invoked only once for the default value on the dashboard load.

<input type="time" token="tok_time" searchWhenChanged="true">
   <label></label>
      <default>
         <earliest>-24h@h</earliest>
          <latest>now</latest>
        </default>
        <change>
               <eval token="startTime">case(
                                 ($form.Selected_Time_Range.earliest$==0 OR 
                                  match($form.tok_time.earliest$, "a-Z"),
                                  "Tue Dec 31, 1969 -- 7:00 PM",
                                  true(),
                                  strftime($form.tok_time.earliest$, "%c")
                                  )  )
               </eval>
               <eval token="endTime">case(
                                  $form.tok_time.latest$=="now",
                                  "whatever",
                                  true(),
                                  strftime($form.tok_time.latest$, "%c")
                                  ) )
              </eval>
          </change>
      </input>
    </fieldset>

PS:
Whenever you use a token in the search you should also add the token to panel <title> or <html> panel so that you can debug the token whether it is being set correctly or not.

There are two approaches to handle Splunk Time Picker Input and capture earliest and latest time tokens as epoch values to be passed to all the searches. Refer to one of the older answer explaining both approaches: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

One point I did not understand is that when you had Receipt Start Date and End Date in format %m/%d/%Y then why did you first convert the same to %c. Also once the time is already converted to string time then how can you apply another string time format. (Read Splunk Documentation and understand the difference between strptime() i.e. conversion from String Time to Epoch and strftime() i.e. conversion from Epoch Time to string time.

Please try out the two approaches in the above answer with run anywhere example and confirm whether it works for you or not.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

genesiusj
Builder

Anyone have any ideas?
Thanks and God bless,
Genesius

0 Karma

C_HIEN
Path Finder

I had the same problem and i solved it like that :
If(match($form.Selected_Time_Range.earliest$,"@"),strftime(relative_time(now(),"$form.Selected_Time_Range.earliest$"),"%c"),strftime($form.Selected_Time_Range.earliest$,"%c"))

0 Karma

genesiusj
Builder

@C_HIEN
Thank you.
Here is what I entered, again, I don't know the proper syntax for entering if when evaling a token.

<eval token="startTime">if(match($form.Selected_Time_Range.earliest$,"@"),strftime(relative_time(now(),"$form.Selected_Time_Range.earliest$"),"%c"),strftime($form.Selected_Time_Range.earliest$,"%c"))</eval>

The value on my dashboard is now $startTime

Not sure if earliest would have now() as a possibility. I tried with latest, changing it accordingly.
The value on my dashboard was Invalid date.

What am I doing wrong?

Thanks and God bless,
Genesius

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...