Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search within a timestamp that isn't _time?

kendrickt
Path Finder
‎04-07-2015 05:46 AM

Hi guys,

I'm trying to search within events on a specific day using a timestamp that is not _time and I also want to use the time picker values.

index=base search... | eval _time=strptime(NEWTIMESTAMP,"%Y-%m-%dT%H:%M:%SZ") | timechart count | where strptime(NEWTIMESTAMP,"%Y-%m-%dT%H:%M:%SZ") < $latest$

You can see I'm changing the NEWTIMESTAMP to _time so I can use it in the timechart. The problem is it is not applying the time set in the picker and it's just displaying all the results.

At what stage is the timepicker applied to the pipe?

How to I reference the timepicker?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎04-07-2015 05:59 AM

You can use the addinfo command to get the earliest epoch time info_min_time and latest epoch time info_max_time for that search. If NEWTIMESTAMP is epoch ...

index=base search... |  timechart count | where ((NEWTIMESTAMP < info_max_time) AND (NEWTIMESTAMP > info_min_time))

Otherwise you can first use convert or eval to translate NEWTIMESTAMP to epoch. Bonus: eval & where share same functions, so you can actually do the conversion from within the comparison.

View solution in original post

Reply
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎04-07-2015 05:59 AM

You can use the addinfo command to get the earliest epoch time info_min_time and latest epoch time info_max_time for that search. If NEWTIMESTAMP is epoch ...

index=base search... |  timechart count | where ((NEWTIMESTAMP < info_max_time) AND (NEWTIMESTAMP > info_min_time))

Otherwise you can first use convert or eval to translate NEWTIMESTAMP to epoch. Bonus: eval & where share same functions, so you can actually do the conversion from within the comparison.

Reply
Solved! Jump to solution

splunk_hvijay
Explorer
‎08-07-2016 04:41 PM

Hello,
I am struggling with the same question. I am trying to use a timestamp that is NOT _time. My time stamp is Transaction_Date. I am facing the same issue. When I click the small magnifying glass near the timepicker in the seach command, I am getting all results , which means it picking _time and Not Transaction date. I tried all the below commands and still not working. can you please help.

index=base search... | where ((NEWTIMESTAMP < info_max_time) AND (NEWTIMESTAMP > info_min_time))

index=base search | addinfo | eval NEWTS1=strptime(Transaction_Date,"%Y-%m-%dT%H:%M:%S.%N")  |   where ((NEWTS1 < info_max_time) AND (NEWTS1 > info_min_time))

I just want the magnifying glass to pick Transaction_Date timestamp.

0 Karma
Reply
Solved! Jump to solution

kendrickt
Path Finder
‎04-07-2015 06:31 AM

Thanks buddy,

Got it working with this:

index=base search | addinfo | eval NEWTS1=strptime(NEWTIMESTAMP,"%Y-%m-%dT%H:%M:%SZ")  |   where ((NEWTS1 < info_max_time) AND (NEWTS1 > info_min_time))
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...