How do I use case and match on a time token to det...

mboker · ‎06-05-2015

I have a time input, which I need to use to filter results of a search based on a date field in the search results. For example, this date could be birthdate for an account of some sort, and I want to filter on the birthdate, rather than the _time, which is when the information is logged. First, I am parsing out the birthdate with a regular expression, then converting it to seconds since the epoch, so I will have a numeric value I can use to compare.

With the following, my panel indefinitely shows "Search is waiting for input." Previously, I was not doing this birthdate comparison, and was simply using <earliestTime> and <latestTime> with the $field1.earliest$ and $field1.latest$ values, respectively. At this time, I got results, so I know the data is there.

I know that $field1.earliest$ is initially 0, so I tried removing all cases other than the first one, which is for matching a numeric string. My expectation was that this would remedy the problem for the initial setting, and I could work on adding the other match cases. However, the panel continued to display "Search is waiting for input."

Included below is the relevant code: first, the time input; followed by the panel with the search string.
Thanks for any help!

  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>0</earliest>
        <latest></latest>
      </default>
    </input>
  </fieldset>
   <panel>
       <table>
          <title>User name</title>
          <searchString>index=X app=Y "username"| rex field=message "<BirthDatet>(?<BirthDate>.+)<\/BirthDate>"                 | eval birthDateTime = strpTime(BirthDate,"%Y-%m-%d") 
                | eval StartTime = case(match($field1.earliest$,"^\d+\.?\d*$"),$field1.earliest$,
                                        match($field1.earliest$,"^.*([A-Z]|[a-z]).*$"),relative_time(now(),$field1.earliest$),
                                        match($field1.earliest$,"^.+\/.+$"),auto($field1.earliest$),
                                        1=1, 0)
                 | where birthDateTime > StartTime
           </searchString>
    <earliestTime>0</earliestTime>
    &lt;latestTime&gt;$field1.latest$&lt;/latestTime&gt;
    <option name="wrap">true</option>
    <option name="rowNumbers">false</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="count">10</option>
  </table>
</panel>

sbob909 · ‎11-04-2015

It's the $ character that's the problem. Try replacing, in your regex, $ (end of line) with \Z (end of string). For example

"^\d+\.?\d*$"

becomes

"^\d+\.?\d*\Z"

Hope this helps

kurdbahr · ‎06-06-2015

"Search is waiting for input." - So the search is not executed yet.
If the search was run without results the message would say "Waiting for results" or "No results found".

Maybe you need to add the attribute searchWhenChanged="true" to the input element or add autoRun="true" to the fieldset element or change the attribute submitButton of the fieldset element from "false" to "true" to execute the search manually.

Maybe there is something wrong with the latestTime element. The opening and closing angle brackets are escaped in your code.

mboker · ‎06-08-2015

I've tried both suggested solutions, and neither has solved my problem, unfortunately. 😞

mboker · ‎06-08-2015

Yea, the latestTime element is only appearing that way in the question. I even tried to change it to '<' and '>' and it changed back when I saved it. I will try your suggestions.
Thanks!

How do I use case and match on a time token to determine proper method for converting time to seconds?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!