Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use a dashboard time range picker to reference a time column in a CSV file generated by an inputcsv search?

ishaanshekhar
Communicator
‎07-28-2015 10:22 AM

I have a csv file that I have not indexed and am using it directly through the inputcsv command. The problem is that since it is not indexed, it does not have a _time value by default. I want the dashboard to have a time range picker that would reference a column in the csv file as the _time.

I tried this search below, but that says no results found.

| inputcsv file.csv | eval _time=strptime(Ticket_Reported_Date,"%Y/%m/%d %H:%M:%S") | search earliest=$time_tok.earliest$ latest=$time_tok.latest$ | timechart span=1mon count

Please help!!! Thanks in advance!

Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-28-2015 12:40 PM

Replace your search with this:

... | where _time >="$time_tok.earliest$" AND _time < if("$time_tok.latest$"=="now", now(), "$time_tok.latest$") | ...

Make sure all the special cases such as all time are handled properly, add similar if() expressions if they aren't.

View solution in original post

Reply
Solved! Jump to solution

cspires64
Path Finder
‎08-07-2015 09:43 AM

This also works . . .
|inputlookup Example.csv | addinfo |eval et=round(info_min_time, 0) | eval lt=if(info_max_time='+Infinity', 'now', round(info_max_time, 0)) | convert timeformat="%Y/%m/%d %H:%M:%S" ctime(et), ctime(lt)| where DateField>=et AND DateField

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-28-2015 12:40 PM

Replace your search with this:

... | where _time >="$time_tok.earliest$" AND _time < if("$time_tok.latest$"=="now", now(), "$time_tok.latest$") | ...

Make sure all the special cases such as all time are handled properly, add similar if() expressions if they aren't.

Reply
Solved! Jump to solution

ishaanshekhar
Communicator
‎07-30-2015 01:28 AM

Thank you Martin! The search did indeed work... and as you said, would require all the special cases of time format. Is there a list that I could refer to include in my conditions... I guess relative dates could be anything so it may be difficult to maintain huge list of conditions.

Is it possible to use the time range picker as is, and directly use the token value without multiple conditions check?

If it is not possible, then I would try changing the time range view to include only fixed date range option and disable the rest.

Thank you!

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-31-2015 05:15 PM

I'd approach this with a small case() - one branch deals with "now", another with numbers for epoch timestamps, and another uses relative_time(now(), ) to deal with "-5m" and the like.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...