Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Add time in the Dashboard

exchanger
Path Finder
‎03-04-2021 05:29 AM

Hello,

I have a query (e.g. "....... " | stats count, avg(...)) and after that I get as result
OwnColumn Count AVG
XYZ                 20           40

As another column I would like to have the time of my request (last week, last 24 hours), depending on what I selected. And that in readable time.
Now I found the following command to show me the time.
| addinfo
| convert ctime(*)
| eval reportDate=info_min_time." to ".info_max_time
| table reportDate
| rex field=reportDate "(?<FirstPart>.*\d+:\d+:\d+).*\s+to\s+(?<SecondPart>.*\d+:\d+:\d+)"
| eval reportDate=FirstPart." to ".SecondPart
| fields reportDate

I customized it the query : "fields OwnColumn, reportDate, count, AVG..." so I can see my queries in the dashboard.
So requested would be
OwnColumn reportDate                                                                               count         AVG
XXX                 02/21/2021 00:00:00 to 02/28/2021 00:00:00      20                40
However, I either get only the reportDate and all the others remain empty or it converts the data from the other queries also into a date, so that 43 (which was for example in count) then also becomes a date. How do I change the query to get what I want?

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
SplunkTrust
SplunkTrust
‎03-04-2021 07:36 AM

hi @exchanger,

Function ctime(*) converts all field values. Change it to ctime(info_*_time).

| addinfo
| convert ctime(info_*_time) timeformat="%m/%d/%Y %H:%M:%S"
| eval reportDate=info_min_time." to ".info_max_time
| fields OwnColumn, reportDate, count, AVG

 

If this reply helps you, an upvote/like would be appreciated.

 

View solution in original post

Reply
Solved! Jump to solution
Solution

manjunathmeti
SplunkTrust
SplunkTrust
‎03-04-2021 07:36 AM

hi @exchanger,

Function ctime(*) converts all field values. Change it to ctime(info_*_time).

| addinfo
| convert ctime(info_*_time) timeformat="%m/%d/%Y %H:%M:%S"
| eval reportDate=info_min_time." to ".info_max_time
| fields OwnColumn, reportDate, count, AVG

 

If this reply helps you, an upvote/like would be appreciated.

 

Reply
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...