Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to input time using earliest and latest tokens on a string date?

timcolpo
Explorer
‎09-23-2016 02:56 PM

I have a KVS that contains a week_date in the form of a string m/d/Y

|inputlookup AAA__test_execution_count | eval _time=strptime(week_date,"%m/%d/%Y")

Now what I want to do is have an input time on a form and use the earliest and latest tokens generated to ensure that that the week dates fall in the time range of the selected time.

        <input type="time" token="time_token" searchWhenChanged="true">
            <label>Select Event Time Filter:</label>
           <default>Business week to date</default>
        </input>

to later be used in a form something like

| inputlookup AAA__test_execution_count 
|eval _time=strptime(week_date,"%m/%d/%Y") 
|  <<<<<< to be in the range >>>>>> specified by the input file
| stats count by week_date

driving range from the query $time_token.earliest$ and $time_token.earliest$

Now I have tried getting the _time as coded to then add in any tags but this does not work.

I am now trying to manually generate a from and to time to compare using the settings but I am getting very confused on the different possible flavors of relative and custom times that could come out of the time picker.

Labels (2)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-24-2016 01:49 PM

Not certain I understand your question, but I'll give you some pointers that may help you

First... to get earliest/latest for time selected the timepicker, try this

<input type="time" token="time_token" searchWhenChanged="true">
   <label>Select Event Time Filter:</label>
   <default>Business week to date</default>
   <change>
    <eval token="e">if(isnum($time_token.earliest$, $time_token.earliest$, relative_time(now(), $time_token.earliest$)</eval>
    <eval token="l">if(isnum($time_token.latest$, $time_token.latest$,  relative_time(now(), $time_token.latest$)</eval>
</input>

To determine if week_date false between e & l, try this

base search | eval isBetween=if(week_date>=relative_time(e, "@d") AND week_date<=relative_time(l, "@d"), "Yes", "No")

View solution in original post

Reply
Solved! Jump to solution

drewg33
Engager
‎05-07-2019 09:33 AM

I know this has been answered already but I came across this same problem and I wrote a bit more code to account for a few addition cases that you can come across with time picker values depending on if you use preset times, date before/after/between, advanced, etc.
So I think this should account for all the possible types of values that a time picker token can have.
I hope this helps someone else because it took me a couple hours of debugging and iterating to get this to work perfectly for me. 

| eval e="$time_token.earliest$", l="$time_token.latest$"
| eval e=case(match(e, "^\d+$"), e, 
                    e="" OR e="now", "0", 
                    true(), relative_time(now(), e))
| eval l=case(match(l, "^\d+$"), l, 
                    l="" OR l="now", "2145916800", 
                    true(), relative_time(now(), l))
| eval e=tonumber(e), l=tonumber(l)
| where _time>='e' AND _time<='l'
Reply
Solved! Jump to solution

kartina
Engager
‎05-29-2020 03:47 AM

Thank you, @drewg33!
It was so helpful to me!

0 Karma
Reply
Solved! Jump to solution

noukash
Explorer
‎09-03-2019 12:49 AM

I have been looking for this for a long time. Could not get it by myself. Big thank you for this awesome solution.

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-24-2016 01:49 PM

Not certain I understand your question, but I'll give you some pointers that may help you

First... to get earliest/latest for time selected the timepicker, try this

<input type="time" token="time_token" searchWhenChanged="true">
   <label>Select Event Time Filter:</label>
   <default>Business week to date</default>
   <change>
    <eval token="e">if(isnum($time_token.earliest$, $time_token.earliest$, relative_time(now(), $time_token.earliest$)</eval>
    <eval token="l">if(isnum($time_token.latest$, $time_token.latest$,  relative_time(now(), $time_token.latest$)</eval>
</input>

To determine if week_date false between e & l, try this

base search | eval isBetween=if(week_date>=relative_time(e, "@d") AND week_date<=relative_time(l, "@d"), "Yes", "No")
Reply
Solved! Jump to solution

Xisor
Explorer
‎10-10-2016 04:06 AM

That didn't quite work for me, but it was very close and got me to a working answer!

I haven't re-factored it back into the XML, but in the pure SPL I found this had to be undertaken:

| eval e=if(isnum("$time_token.earliest$"), "$time_token.earliest$", relative_time(now(), "$time_token.earliest$"))
| eval l=if(isnum("$time_token.latest$"), "$time_token.latest$",  relative_time(now(), "$time_token.latest$"))
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...