filter a field based on a time picker (handling of...

sylbaea · ‎02-01-2017

Hello,

I have a query where I need to filter a date DateOpen_EPOC (already in EPOC format) with a time picker (token is date_open). This time picker is not linked to default _time.

From a past question on the forum, I got this which works fine in most of the case:

(...)
| where DateOpen_EPOC &gt;= if(replace("$date_open.earliest$","\d","")!="",relative_time(now(),"$date_open.earliest$"),"$date_open.earliest$")  
AND  DateOpen_EPOC &gt;= if(replace("$date_open.latest$","\d","")!="",relative_time(now(),"$date_open.latest$"),"$date_open.latest$")  
(...)

However this query does not work in (at least) in two specific cases:
- Time Picker = "All time" --> in that case, it looks $date_open.earliest$ and $date_open.latest$ return nothing and it does not work
- Time Picker = "Last 7 days" (for instance). Here $date_open.latest$ equals now and it does not work

Any suggestion to improve (or replace) this query to truly manage all cases ?
Thanks.

woodcock · ‎03-10-2017

Like this (NOTE: one of your > should surely have been <😞

(...)
| addinfo | where DateOpen_EPOC>=info_min_time AND DateOpen_EPOC<=info_max_time
(...)

filter a field based on a time picker (handling of special now / all time cases)

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms