Splunk Search

How do I compare the log date with the time picker date?

twh1
Communicator

I want to check the records for which CREATE_TIME matches based on my date selection from time picker control. Currently, I am using the below query, which is always checking only for today's date.

 index=os_na sourcetype="oracle_os:healthcheck" "ADR Home =" | multikv | table HOSTNAME INCIDENT_ID PROBLEM_KEY CREATE_TIME TIMESTAMP | dedup INCIDENT_ID | eval create_day=substr(CREATE_TIME, 1, 10) | eval now_day = strftime(now(), "%m/%d/%Y") | where INCIDENT_ID!=" " AND create_day==now_day

Could you please help me to get desired result.

0 Karma

varun8159
Explorer

Do you need earliest and latest token values of Time range picker to be used as filter for CREATE_TIME?

0 Karma

twh1
Communicator

Yes @varun8159 . I want to compare if date date range is selected as 24th May to 25th May. I want to display the records, for which we have CREATE_TIME in between 24th May to 25th May.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @twh1

As per your requirement to filter event on the basis of selected time picker which needs to be applied on CREATE_TIME field I have used addinfo command. http://docs.splunk.com/Documentation/Splunk/7.1.3/SearchReference/Addinfo

Please try this?

YouR_SEARCH
| eval created_time=strptime(CREATE_TIME,"%Y-%m-%d %H:%M:%S.%N") 
| addinfo 
| where (info_max_time="+Infinity" OR (created_time<info_max_time AND created_time>info_min_time))

My sample search.

| makeresults 
| eval _raw="
INCIDENT_ID          PROBLEM_KEY                                                 CREATE_TIME                              
 -------------------- ----------------------------------------------------------- ---------------------------------------- 
 102753               ORA 15064                                                   2018-05-24 15:38:50.242000 -04:00       
 107689               ORA 29740                                                   2018-05-24 17:04:00.414000 -04:00       
 112801               ORA 32701                                                   2018-05-24 20:59:14.420000 -04:00 
 " 
| multikv 
| eval created_time=strptime(CREATE_TIME,"%Y-%m-%d %H:%M:%S.%N") 
| addinfo 
| where (info_max_time="+Infinity" OR (created_time<info_max_time AND created_time>info_min_time))

Thanks

0 Karma

twh1
Communicator

Hi @kamlesh_vaghela ,
I tried above option and selected date range as 24th May but not getting any result.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @twh1

if you executing my given search then you have to select 2018-05-24 date to get data.

0 Karma

twh1
Communicator

Hi @kamlesh_vaghela ,
I have selected the date range for which I have data, but still no data coming. (i.e. create date have data on 24th May to 27th May and I selected date as 24th May 00:00 - 24:00)

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@twh1

Can you please share sample data for | table HOSTNAME INCIDENT_ID PROBLEM_KEY CREATE_TIME TIMESTAMP?

Do CREATE_TIME and TIMESTAMP be same?

0 Karma

twh1
Communicator

Hi @kamlesh_vaghela ,

you can find the same at below link.

https://answers.splunk.com/answers/685745/how-do-you-get-tabular-event-with-field-value-pair.html

CREATE_TIME and TIMESTAMP is different times.

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...