Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to wrap time picker tokens to always get epoch time in search on dashboard?

Kmishkind
New Member
‎08-04-2014 01:06 PM

I have a search with a join and subsearch I wish to apply a date range to the subsearch. I have put the search into a dashboard and changed it to a form. I updated the subsearch to use a where statement to narrow the _time.

The values from the datetime picker are passed through the field1.earliest and field1.latest token-this works just fine so long as I set the date time picker to "between" exact dates. If I use "last month" or one of the other relative fields I get errors because I get the date modifier values passed to the token d@d and @mon instead of the epoch date.

So....is there a way of wrapping the tokens to always get the epoc time or do I change my query to somehow accept epoch and/or date modifiers.

Here is the subquery
......
join name
[search sourcetype=logs

|regex user!=("[0-9].|ws_")|where isnotnull(user)

|where _time>=$field1.earliest$ AND _time<=$field1.latest$
.... ]

Thanks for your yelp

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎08-04-2014 02:23 PM

Try this:

main search ... | join name [search earliest=$field1.earliest$ latest=$field1.latest$ sourcetype=logs user=* | regex user!= ...] ...

http://docs.splunk.com/Documentation/Splunk/6.1.2/Search/Specifytimemodifiersinyoursearch

0 Karma
Reply

somesoni2
Revered Legend
‎08-04-2014 01:47 PM

Try this

your base search...| join name [search sourcetype=logs  
[|gentimes start=-1 | eval earliest=if(isnum($field1.earliest$),$field1.earliest$,relative_time(now(),"$field1.earliest$") | latest=if(isnum($field1.latest$),$field1.latest$,relative_time(now(),"$field1.latest$") | return earliest,latest]
|regex user!=("[0-9].|ws_")|where isnotnull(user) ....

With the subsearch with subsearch (with 'gentimes') providing earliest and latest value for subsearch, the where condition will not be required.

0 Karma
Reply

Kmishkind
New Member
‎08-04-2014 01:35 PM

No-only the subsearch.

0 Karma
Reply

somesoni2
Revered Legend
‎08-04-2014 01:19 PM

Does the same timerange picker applies to main search??

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...