Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I convert time from a time range picker to epoch?

nick405060
Motivator
‎02-06-2019 03:27 PM

The following works for e.g. last week, last month, etc., but doesn't work where $TIMERANGE.latest$ is set by the picker to "now", or to a specific datetime value.

eval latest_EPOCH=relative_time(now(),"$TIMERANGE.latest$")

I've tried doing 

eval temp=if("$TIMERANGE.latest$"=="now","-0m","$TIMERANGE.latest$") | eval latest_EPOCH=relative_time(now(),temp)

and that fixes "now" but not specific date ranges.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-06-2019 03:30 PM

Hi Nick,

Here is one way to do it:

earliest=coalesce(if(isnum($TIMERANGE.earliest$"),$TIMERANGE.earliest$,relative_time(now(),$TIMERANGE.earliest$)),0)

latest=coalesce(if(isnum($TIMERANGE.latest$"),$TIMERANGE.latest$",relative_time(now(),$TIMERANGE.latest$")),99999999999)

Good luck

View solution in original post

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2019 02:05 PM

If you're inside a dashboard, this is much much faster:

<input type="time" token="time">
  <label></label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
  <change>
    <eval token="earliest_epoch">case(isnum($earliest$), $earliest$, $earliest$=="now", time(), $earliest$="", 0, true(), relative_time(time(), $earliest$))</eval>
    <eval token="latest_epoch">case(isnum($latest$), $latest$, $latest$=="now", time(), true(), relative_time(time(), $latest$))</eval>
  </change>
</input>
Reply
Solved! Jump to solution

verbal_666
Builder
‎10-18-2024 12:03 AM

Great 👏👏👏👏👏👍
But maybe dashboard will not update variables/tokens until you manually change the picker.
Let's say i choose "-5m" from picker and latest is "now" for default, it will remain fixed to

relative_time(time(), $earliest$)

 the UNIX-time value, also if my panels refreshes.

So, letting dashboard has refreshing panels, the -5m will become -6 -7 -8 -9 -10 ......... untill you change the picker...

Also for

$latest$=="now", time()

Same concept for earliest... it becomes fixed until you refresh entire dashboard/picker.

0 Karma
Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-06-2019 03:30 PM

Hi Nick,

Here is one way to do it:

earliest=coalesce(if(isnum($TIMERANGE.earliest$"),$TIMERANGE.earliest$,relative_time(now(),$TIMERANGE.earliest$)),0)

latest=coalesce(if(isnum($TIMERANGE.latest$"),$TIMERANGE.latest$",relative_time(now(),$TIMERANGE.latest$")),99999999999)

Good luck

Reply
Solved! Jump to solution

verbal_666
Builder
‎10-18-2024 01:30 AM

Great, thanks 👏👏👏

I took my way, doing so,

 

|eval earliest_epoch="$time.earliest$",latest_epoch="$time.latest$"
|eval earliest_epoch=case(isnum(earliest_epoch),earliest_epoch,earliest_epoch=="now",time(),"earliest_epoch"="",0,true(),relative_time(time(),earliest_epoch))
|eval latest_epoch=case(isnum(latest_epoch),latest_epoch,latest_epoch=="now",time(),true(),relative_time(time(),latest_epoch))

 

 

0 Karma
Reply
Solved! Jump to solution

nick405060
Motivator
‎02-06-2019 03:32 PM

ty again! posted here on SA as well in case it helps anyone else out.

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-06-2019 05:14 PM

OK A better solution thanks to @micahkemp would be to do this :

your_search | addinfo | eval latest_EPOCH = info_max_time (or use rename)

Reply
Solved! Jump to solution

nick405060
Motivator
‎02-07-2019 12:47 PM

for that solution (the better solution) make sure you also have

<earliest>$TIMERANGE.earliest$</earliest>
<latest>$TIMERANGE.latest$</latest>

after the query stanza otherwise addinfo doesn't know where to get earliest and latest from; it will just default to be all-time

0 Karma
Reply
Solved! Jump to solution

nick405060
Motivator
‎03-19-2019 03:55 PM

So the solution posted here by @micahkemp does NOT work if you are using a post-process search, since the earliest and latest stanzas have to be identical to the base search. However the answers provided by @martin_mueller and @chrisyoungerjds will work

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...