Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I convert time from a time range picker to epoch?

nick405060
Motivator
‎02-06-2019 03:27 PM

The following works for e.g. last week, last month, etc., but doesn't work where $TIMERANGE.latest$ is set by the picker to "now", or to a specific datetime value.

eval latest_EPOCH=relative_time(now(),"$TIMERANGE.latest$")

I've tried doing 

eval temp=if("$TIMERANGE.latest$"=="now","-0m","$TIMERANGE.latest$") | eval latest_EPOCH=relative_time(now(),temp)

and that fixes "now" but not specific date ranges.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-06-2019 03:30 PM

Hi Nick,

Here is one way to do it:

earliest=coalesce(if(isnum($TIMERANGE.earliest$"),$TIMERANGE.earliest$,relative_time(now(),$TIMERANGE.earliest$)),0)

latest=coalesce(if(isnum($TIMERANGE.latest$"),$TIMERANGE.latest$",relative_time(now(),$TIMERANGE.latest$")),99999999999)

Good luck

View solution in original post

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2019 02:05 PM

If you're inside a dashboard, this is much much faster:

<input type="time" token="time">
  <label></label>
  <default>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
  </default>
  <change>
    <eval token="earliest_epoch">case(isnum($earliest$), $earliest$, $earliest$=="now", time(), $earliest$="", 0, true(), relative_time(time(), $earliest$))</eval>
    <eval token="latest_epoch">case(isnum($latest$), $latest$, $latest$=="now", time(), true(), relative_time(time(), $latest$))</eval>
  </change>
</input>
Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-06-2019 03:30 PM

Hi Nick,

Here is one way to do it:

earliest=coalesce(if(isnum($TIMERANGE.earliest$"),$TIMERANGE.earliest$,relative_time(now(),$TIMERANGE.earliest$)),0)

latest=coalesce(if(isnum($TIMERANGE.latest$"),$TIMERANGE.latest$",relative_time(now(),$TIMERANGE.latest$")),99999999999)

Good luck

Reply
Solved! Jump to solution

nick405060
Motivator
‎02-06-2019 03:32 PM

ty again! posted here on SA as well in case it helps anyone else out.

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-06-2019 05:14 PM

OK A better solution thanks to @micahkemp would be to do this :

your_search | addinfo | eval latest_EPOCH = info_max_time (or use rename)

Reply
Solved! Jump to solution

nick405060
Motivator
‎02-07-2019 12:47 PM

for that solution (the better solution) make sure you also have

<earliest>$TIMERANGE.earliest$</earliest>
<latest>$TIMERANGE.latest$</latest>

after the query stanza otherwise addinfo doesn't know where to get earliest and latest from; it will just default to be all-time

0 Karma
Reply
Solved! Jump to solution

nick405060
Motivator
‎03-19-2019 03:55 PM

So the solution posted here by @micahkemp does NOT work if you are using a post-process search, since the earliest and latest stanzas have to be identical to the base search. However the answers provided by @martin_mueller and @chrisyoungerjds will work

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...