Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to change the custom time range dynamically based on the epoch time in field

vadud3
Path Finder
‎05-14-2010 06:11 PM

I have events like this

SiteEng,siteeng,1271646762,1273602865,99.98,0.02

Here Start field has the value 1271646762 and End field has the value 1273602865

How do I make the custom field automatically change based on the earliest epoch time on Start field and latest epoch time on End field ?

These events are coming from a CSV file which gets updated by cronjob.

So when I search for the report with index="hobbit" I like the timerange to automatically change based on the only CSV file it indexes.

I like the timerange to show something like this

http://picpaste.com/splunk_6.png

Tags (1)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎05-15-2010 12:00 AM

Are you asking for a way users can interact with those events that would be like: 'search for events between this start and endtime'?

If so then you can use a workflow action.
http://www.splunk.com/base/Documentation/4.1/Knowledge/CreateworkflowactionsinSplunkWeb

In brief, you can configure a workflow action, such that when the 'Start' field and the 'End' field are both present in any event, the user is given an option in the event menu that can be a URL (ie to flashtimeline), and in that URL you can use the Start and End field values to preset the earliest= and latest= arguments in the flashtimeline URL. Setting those arguments will correctly prepopulate the TimeRangePicker.

And the URI part of your workflow action would look like this:

http:///en-US/app/search/flashtimeline?q=search%20sourcetype%3Dfoo&earliest=$Start$&latest=$End$

0 Karma
Reply

Lowell
Super Champion
‎05-14-2010 09:36 PM

I really don't understand your question....

Are you trying to use the CSV events to determine the timerange of search in splunk? That seems like an odd thing to do, but it's somewhat possible using the map search command.

You could try a search like:

index=hobbit | map search="search index=hobbit starttimeu::$Start$ endtimeu::$End$"

This isn't going to reset the timerange picker in the upper right hand of the screen, if that's what you are trying to do.

If you are simply trying to see Start and End in a human readable format, you can do that quite easily with:

index=hobbit | convert timeformat="%Y%m%d %H:%M:%S" ctime(Start), ctime(End)

If you clarify your question, I or someone else may be able to give you a better suggestion.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...