Dashboards & Visualizations

how to change the custom time range dynamically based on the epoch time in field

vadud3
Path Finder

I have events like this

SiteEng,siteeng,1271646762,1273602865,99.98,0.02

Here Start field has the value 1271646762 and End field has the value 1273602865

How do I make the custom field automatically change based on the earliest epoch time on Start field and latest epoch time on End field ?

These events are coming from a CSV file which gets updated by cronjob.

So when I search for the report with index="hobbit" I like the timerange to automatically change based on the only CSV file it indexes.

I like the timerange to show something like this

http://picpaste.com/splunk_6.png

Tags (1)
0 Karma

sideview
SplunkTrust
SplunkTrust

Are you asking for a way users can interact with those events that would be like: 'search for events between this start and endtime'?

If so then you can use a workflow action.
http://www.splunk.com/base/Documentation/4.1/Knowledge/CreateworkflowactionsinSplunkWeb

In brief, you can configure a workflow action, such that when the 'Start' field and the 'End' field are both present in any event, the user is given an option in the event menu that can be a URL (ie to flashtimeline), and in that URL you can use the Start and End field values to preset the earliest= and latest= arguments in the flashtimeline URL. Setting those arguments will correctly prepopulate the TimeRangePicker.

And the URI part of your workflow action would look like this:

http:///en-US/app/search/flashtimeline?q=search%20sourcetype%3Dfoo&earliest=$Start$&latest=$End$

0 Karma

Lowell
Super Champion

I really don't understand your question....

Are you trying to use the CSV events to determine the timerange of search in splunk? That seems like an odd thing to do, but it's somewhat possible using the map search command.

You could try a search like:

index=hobbit | map search="search index=hobbit starttimeu::$Start$ endtimeu::$End$"

This isn't going to reset the timerange picker in the upper right hand of the screen, if that's what you are trying to do.

If you are simply trying to see Start and End in a human readable format, you can do that quite easily with:

index=hobbit | convert timeformat="%Y%m%d %H:%M:%S" ctime(Start), ctime(End)

If you clarify your question, I or someone else may be able to give you a better suggestion.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...