Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I use a date field as a parameter to filter results for a dashboard search using join?

rkanumula
Path Finder
‎04-14-2015 05:18 AM

Hi,

I am using join in a splunk dashboard with two indexes with time as parameter, but i am not getting the correct results. Without the join, it is working fine.
The date column is st_date and I have used this column in the token also, but I am still getting the wrong output. Please suggest if I missed anything.

My search:

index=a| JOIN type=inner aid[ SEARCH index=b] |table st_date,aid,location

My Xml:

test Clone

<input type="time" token="st_date" searchWhenChanged="true">
  <default>
    <earliest>0</earliest>
    <latest></latest>
  </default>
</input>


<panel>
  <table>
    <search>
      <query>index=a| JOIN type=inner aid[ SEARCH index=b] |table st_date,aid,LOCATION</query>
      <earliest>$st_date.earliest$</earliest>
      <latest>$st_date.latest$</latest>
    </search>
    <option name="wrap">undefined</option>
    <option name="rowNumbers">undefined</option>
    <option name="drilldown">row</option>
    <option name="dataOverlayMode">none</option>
    <option name="count">10</option>
  </table>
</panel>

Index a

sno st_date aid
1 01/01/2014 10
2 01/01/2015 5

Index a

sno aid LOCATION
1 10 us
2 5 UK

If i select date (startdate & enddate) as '01/01/2014 ' & '02/01/2014 '

Expected result
sno LOCATION aid

1 us 10

but i am getting result as

sno LOCATION aid

1 us 10
2 UK 5

Please suggest how to get the Expected result and how to use date parameter as the where condition in splunk search/dashboard with join.

0 Karma
Reply

somesoni2
Revered Legend
‎04-14-2015 02:42 PM

In index=a, does the _time value matches the st_time? (means if the timestamp recognition is configured to pickup the event time from the value of field st_time)

0 Karma
Reply

rkanumula
Path Finder
‎04-14-2015 10:00 PM

No, _time values is current-date means '2015-04-15 00:56:07'.let me know the configuration settings for to match _time with the st_date

0 Karma
Reply

gyslainlatsa
Motivator
‎04-14-2015 06:14 AM

hi rkanumula,

remove the token st_date and try this, go in the dropdown time and select your time range.

<input type="time" searchWhenChanged="true">
    <default>Last 24 hours</default>
  </input>

  <panel>
    <table>
   <title>table using join between $earliest$ and $latest$</title>
      <search>
        <query>index=a| JOIN type=inner aid[ SEARCH index=b] |table aid,LOCATION</query>
      </search>
      <option name="wrap">undefined</option>
      <option name="rowNumbers">undefined</option>
      <option name="drilldown">row</option>
      <option name="dataOverlayMode">none</option>
      <option name="count">10</option>
    </table>
  </panel>
0 Karma
Reply

rkanumula
Path Finder
‎04-14-2015 06:51 AM

Hi,

stil i am getting the wrong results.i am using Date range in presets in time paramter.In that Date Range i am selecting the earliest and Latest dates then the results wil not be in the date range

0 Karma
Reply

gyslainlatsa
Motivator
‎04-14-2015 05:56 AM

hi rkanumula,

st_date is it a field in the index of your data?

0 Karma
Reply

rkanumula
Path Finder
‎04-14-2015 06:43 AM

st_date as column in my index .it should check with the date which i got from time paramter

means

st_date>'start_date' and st_date< 'end_date'

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...