Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I convert time from a time range picker to epoch?

nick405060
Motivator
‎02-06-2019 03:27 PM

The following works for e.g. last week, last month, etc., but doesn't work where $TIMERANGE.latest$ is set by the picker to "now", or to a specific datetime value.

eval latest_EPOCH=relative_time(now(),"$TIMERANGE.latest$")

I've tried doing 

eval temp=if("$TIMERANGE.latest$"=="now","-0m","$TIMERANGE.latest$") | eval latest_EPOCH=relative_time(now(),temp)

and that fixes "now" but not specific date ranges.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-06-2019 03:30 PM

Hi Nick,

Here is one way to do it:

earliest=coalesce(if(isnum($TIMERANGE.earliest$"),$TIMERANGE.earliest$,relative_time(now(),$TIMERANGE.earliest$)),0)

latest=coalesce(if(isnum($TIMERANGE.latest$"),$TIMERANGE.latest$",relative_time(now(),$TIMERANGE.latest$")),99999999999)

Good luck

View solution in original post

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2019 02:05 PM

If you're inside a dashboard, this is much much faster:

<input type="time" token="time">
  <label></label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
  <change>
    <eval token="earliest_epoch">case(isnum($earliest$), $earliest$, $earliest$=="now", time(), $earliest$="", 0, true(), relative_time(time(), $earliest$))</eval>
    <eval token="latest_epoch">case(isnum($latest$), $latest$, $latest$=="now", time(), true(), relative_time(time(), $latest$))</eval>
  </change>
</input>
Reply
Solved! Jump to solution

verbal_666
Builder
‎10-18-2024 12:03 AM

Great 👏👏👏👏👏👍
But maybe dashboard will not update variables/tokens until you manually change the picker.
Let's say i choose "-5m" from picker and latest is "now" for default, it will remain fixed to

relative_time(time(), $earliest$)

 the UNIX-time value, also if my panels refreshes.

So, letting dashboard has refreshing panels, the -5m will become -6 -7 -8 -9 -10 ......... untill you change the picker...

Also for

$latest$=="now", time()

Same concept for earliest... it becomes fixed until you refresh entire dashboard/picker.

0 Karma
Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-06-2019 03:30 PM

Hi Nick,

Here is one way to do it:

earliest=coalesce(if(isnum($TIMERANGE.earliest$"),$TIMERANGE.earliest$,relative_time(now(),$TIMERANGE.earliest$)),0)

latest=coalesce(if(isnum($TIMERANGE.latest$"),$TIMERANGE.latest$",relative_time(now(),$TIMERANGE.latest$")),99999999999)

Good luck

Reply
Solved! Jump to solution

verbal_666
Builder
‎10-18-2024 01:30 AM

Great, thanks 👏👏👏

I took my way, doing so,

 

|eval earliest_epoch="$time.earliest$",latest_epoch="$time.latest$"
|eval earliest_epoch=case(isnum(earliest_epoch),earliest_epoch,earliest_epoch=="now",time(),"earliest_epoch"="",0,true(),relative_time(time(),earliest_epoch))
|eval latest_epoch=case(isnum(latest_epoch),latest_epoch,latest_epoch=="now",time(),true(),relative_time(time(),latest_epoch))

 

 

0 Karma
Reply
Solved! Jump to solution

nick405060
Motivator
‎02-06-2019 03:32 PM

ty again! posted here on SA as well in case it helps anyone else out.

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-06-2019 05:14 PM

OK A better solution thanks to @micahkemp would be to do this :

your_search | addinfo | eval latest_EPOCH = info_max_time (or use rename)

Reply
Solved! Jump to solution

nick405060
Motivator
‎02-07-2019 12:47 PM

for that solution (the better solution) make sure you also have

<earliest>$TIMERANGE.earliest$</earliest>
<latest>$TIMERANGE.latest$</latest>

after the query stanza otherwise addinfo doesn't know where to get earliest and latest from; it will just default to be all-time

0 Karma
Reply
Solved! Jump to solution

nick405060
Motivator
‎03-19-2019 03:55 PM

So the solution posted here by @micahkemp does NOT work if you are using a post-process search, since the earliest and latest stanzas have to be identical to the base search. However the answers provided by @martin_mueller and @chrisyoungerjds will work

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...