Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use a dashboard time range picker to reference a time column in a CSV file generated by an inputcsv search?

ishaanshekhar
Communicator
‎07-28-2015 10:22 AM

I have a csv file that I have not indexed and am using it directly through the inputcsv command. The problem is that since it is not indexed, it does not have a _time value by default. I want the dashboard to have a time range picker that would reference a column in the csv file as the _time.

I tried this search below, but that says no results found.

| inputcsv file.csv | eval _time=strptime(Ticket_Reported_Date,"%Y/%m/%d %H:%M:%S") | search earliest=$time_tok.earliest$ latest=$time_tok.latest$ | timechart span=1mon count

Please help!!! Thanks in advance!

Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-28-2015 12:40 PM

Replace your search with this:

... | where _time >="$time_tok.earliest$" AND _time < if("$time_tok.latest$"=="now", now(), "$time_tok.latest$") | ...

Make sure all the special cases such as all time are handled properly, add similar if() expressions if they aren't.

View solution in original post

Reply
Solved! Jump to solution

cspires64
Path Finder
‎08-07-2015 09:43 AM

This also works . . .
|inputlookup Example.csv | addinfo |eval et=round(info_min_time, 0) | eval lt=if(info_max_time='+Infinity', 'now', round(info_max_time, 0)) | convert timeformat="%Y/%m/%d %H:%M:%S" ctime(et), ctime(lt)| where DateField>=et AND DateField

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-28-2015 12:40 PM

Replace your search with this:

... | where _time >="$time_tok.earliest$" AND _time < if("$time_tok.latest$"=="now", now(), "$time_tok.latest$") | ...

Make sure all the special cases such as all time are handled properly, add similar if() expressions if they aren't.

Reply
Solved! Jump to solution

ishaanshekhar
Communicator
‎07-30-2015 01:28 AM

Thank you Martin! The search did indeed work... and as you said, would require all the special cases of time format. Is there a list that I could refer to include in my conditions... I guess relative dates could be anything so it may be difficult to maintain huge list of conditions.

Is it possible to use the time range picker as is, and directly use the token value without multiple conditions check?

If it is not possible, then I would try changing the time range view to include only fixed date range option and disable the rest.

Thank you!

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-31-2015 05:15 PM

I'd approach this with a small case() - one branch deals with "now", another with numbers for epoch timestamps, and another uses relative_time(now(), ) to deal with "-5m" and the like.

0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top