Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Add time in the Dashboard

exchanger
Path Finder
‎03-04-2021 05:29 AM

Hello,

I have a query (e.g. "....... " | stats count, avg(...)) and after that I get as result
OwnColumn Count AVG
XYZ                 20           40

As another column I would like to have the time of my request (last week, last 24 hours), depending on what I selected. And that in readable time.
Now I found the following command to show me the time.
| addinfo
| convert ctime(*)
| eval reportDate=info_min_time." to ".info_max_time
| table reportDate
| rex field=reportDate "(?<FirstPart>.*\d+:\d+:\d+).*\s+to\s+(?<SecondPart>.*\d+:\d+:\d+)"
| eval reportDate=FirstPart." to ".SecondPart
| fields reportDate

I customized it the query : "fields OwnColumn, reportDate, count, AVG..." so I can see my queries in the dashboard.
So requested would be
OwnColumn reportDate                                                                               count         AVG
XXX                 02/21/2021 00:00:00 to 02/28/2021 00:00:00      20                40
However, I either get only the reportDate and all the others remain empty or it converts the data from the other queries also into a date, so that 43 (which was for example in count) then also becomes a date. How do I change the query to get what I want?

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-04-2021 07:36 AM

hi @exchanger,

Function ctime(*) converts all field values. Change it to ctime(info_*_time).

| addinfo
| convert ctime(info_*_time) timeformat="%m/%d/%Y %H:%M:%S"
| eval reportDate=info_min_time." to ".info_max_time
| fields OwnColumn, reportDate, count, AVG

 

If this reply helps you, an upvote/like would be appreciated.

 

View solution in original post

Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-04-2021 07:36 AM

hi @exchanger,

Function ctime(*) converts all field values. Change it to ctime(info_*_time).

| addinfo
| convert ctime(info_*_time) timeformat="%m/%d/%Y %H:%M:%S"
| eval reportDate=info_min_time." to ".info_max_time
| fields OwnColumn, reportDate, count, AVG

 

If this reply helps you, an upvote/like would be appreciated.

 

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...