Hi,
I try to use a token from a drilldown in a previous view in my app. The token contain a date in this format: "%Y-%m-%d %H:%M:%S.%6Q" (possible to update the format but I need to show microseconds).
I used this code to change the format according to earliest and latest :
<input type="text" token="earliest">
<label>earliest</label>
<change>
<eval token="earliest_clean">strftime(strptime($value$,"%Y-%m-%d %H:%M:%S.%6Q"),"%m-%d-%y %H:%M:%S.%6Q")</eval>
</change>
</input>
<input type="text" token="latest">
<label>latest</label>
<change>
<eval token="latest_clean">strftime(strptime($value$,"%Y-%m-%d %H:%M:%S.%6Q"),"%m-%d-%y %H:%M:%S.%6Q")</eval>
</change>
</input>
I tried to use %3Q %Q %6N %3N, nothing works. The best result is using %3N, the function works but the result is wrong (milliseconds are missing after conversion):
2020-04-12 21:34:41.268 => 2020-04-12 21:34:41.000
Any idea to solve this issue ?
After solving this issue, I will need to solve another problem: Splunk is unable to search on same date/time. How to limit my search to a single microsecond ? If there is no other option, how can I add one microsecond to latest ?
... View more