Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Add time in the Dashboard

exchanger
Path Finder
‎03-04-2021 05:29 AM

Hello,

I have a query (e.g. "....... " | stats count, avg(...)) and after that I get as result
OwnColumn Count AVG
XYZ                 20           40

As another column I would like to have the time of my request (last week, last 24 hours), depending on what I selected. And that in readable time.
Now I found the following command to show me the time.
| addinfo
| convert ctime(*)
| eval reportDate=info_min_time." to ".info_max_time
| table reportDate
| rex field=reportDate "(?<FirstPart>.*\d+:\d+:\d+).*\s+to\s+(?<SecondPart>.*\d+:\d+:\d+)"
| eval reportDate=FirstPart." to ".SecondPart
| fields reportDate

I customized it the query : "fields OwnColumn, reportDate, count, AVG..." so I can see my queries in the dashboard.
So requested would be
OwnColumn reportDate                                                                               count         AVG
XXX                 02/21/2021 00:00:00 to 02/28/2021 00:00:00      20                40
However, I either get only the reportDate and all the others remain empty or it converts the data from the other queries also into a date, so that 43 (which was for example in count) then also becomes a date. How do I change the query to get what I want?

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-04-2021 07:36 AM

hi @exchanger,

Function ctime(*) converts all field values. Change it to ctime(info_*_time).

| addinfo
| convert ctime(info_*_time) timeformat="%m/%d/%Y %H:%M:%S"
| eval reportDate=info_min_time." to ".info_max_time
| fields OwnColumn, reportDate, count, AVG

 

If this reply helps you, an upvote/like would be appreciated.

 

View solution in original post

Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-04-2021 07:36 AM

hi @exchanger,

Function ctime(*) converts all field values. Change it to ctime(info_*_time).

| addinfo
| convert ctime(info_*_time) timeformat="%m/%d/%Y %H:%M:%S"
| eval reportDate=info_min_time." to ".info_max_time
| fields OwnColumn, reportDate, count, AVG

 

If this reply helps you, an upvote/like would be appreciated.

 

Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...