Splunk Search

convert timerange to epoch values

0range
Communicator

Hello!

I want to use my timerange as a filter in a search on a dashboard, like this:
..... | where mydate < $timepicker.latest$

But i need to conver values like "@d" , "-1h" and so on to epoch.
And the latest may be already in epoch format. Then I do not need to convert.
How can I do this?

Tags (2)

somesoni2
Revered Legend

If the same timepicker is used to define timerange for the search then, this should work.

your search ..| where mydate < [|gentimes start=-1 | addinfo | eval search=info_max_time | table search]

The 'addinfo' command will create fields info_min_time (based on search's earliest time) and info_max_time (based on search's latest time) which are in epoch already.

0range
Communicator

No, the timepicker is not the same

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

For this notation you can use the relative_time() function:

... | where mydate < relative_time(now(), "$timepicker.latest$")

However, you first need to check whether it's a number or not and only apply this if it isn't:

... | where mydate < if(isnum("$timepicker.latest$"), $timepicker.latest$, relative_time(now(), "$timepicker.latest$"))

Note, I'm not 100% certain if this catches every case imaginable or not - make sure you test everything your users will need later.

jeffland
SplunkTrust
SplunkTrust

It appears you also have to catch a value of "now" explicitly, i.e.

... | where mydate < case(isnum("$timepicker.latest$"), $timepicker.latest$, $timepicker.latest$="now", now(), 1=1, relative_time(now(), "$timepicker.latest$"))
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

It is. Run this dummy query to confirm:

| stats count as now | eval now = strftime(now(), "%+") | eval at_d = strftime(relative_time(now(), "@d"), "%+")
0 Karma

0range
Communicator

seems that @d is not compatible with relative_time function

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...