Solved: Re: Display condition based result in dashboard (t...

nilanjankc · ‎07-02-2019

Hi
I am New to Splunk
I have created one dashboard like below
ProcessName LastUpdated
ProcessA 2019-05-16 14:42:21.12
ProcessB 2019-05-16 14:50:21.12
ProcessC 2019-05-16 14:55:21.12

But now I have to show only those data/results where the difference between EventTimeand LastUpdated is greater than 10 minutes
I have written a search
*index=test source=testSource | table ProcessName LastUpdated |eval diff = _time - strptime(LastUpdated, "%Y-%m-%d %H:%M:%S")| where diff >= 600 *

But I am getting empty result/No reslut though there are some records which fulfills my criteria.

can anyone help ..

renjith_nair · ‎07-02-2019

@nilanjankc ,

You dont have the _time in your final result because your are restricting the fields to ProcessName , LastUpdated by using the table command. Include _time as well in the table and you should be fine.

Also worth to check the time format and include microseconds if its needed

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎07-02-2019

@nilanjankc ,

You dont have the _time in your final result because your are restricting the fields to ProcessName , LastUpdated by using the table command. Include _time as well in the table and you should be fine.

Also worth to check the time format and include microseconds if its needed

---
What goes around comes around. If it helps, hit it with Karma 🙂

nilanjankc · ‎07-02-2019

Thank you for your help,its working now

Display condition based result in dashboard (time comparison)

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!