Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use the time input field to calculate time as seconds?

abzmhzsplunk
New Member
‎03-09-2017 10:56 AM

Hi,

In my form, I have labeled my time input as field3 such as:

     input type="time" token="field3" searchWhenChanged="true"

In the search below it, I want to calculate the time as seconds, using 

 | eval time_s=$field3.latest$ - $field3.earliest$

But I got error.

Any idea how to use the Time Input field to calculate the time in seconds?

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-09-2017 11:38 AM

As an alternative, you can do this instead:

... | addinfo | eval time_s = info_max_time - info_min_time

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎03-09-2017 12:29 PM

I am not sure of the purpose of this calculation, however, Earliest and Latest Time selected in a Search through Input Control are available as $job.searchLatestTime$ and $job.searchEarliestTime$ in preview and finalized search event handler. You can use eval attribute to calculate time span in seconds applied to search via time input.

    <search>
      <query>|makeresults </query>
      <earliest>$field3.earliest$</earliest>
      <latest>$field3.latest$</latest>
      <sampleRatio>1</sampleRatio>
      <preview>
        <eval token="SearchSpan">$job.searchLatestTime$-$job.searchEarliestTime$</eval>  
      </preview>
    </search>

You can then use the token in your form like in the following HTML panel

  <html>
    Selected Time Span=$SearchSpan$
  </html>
</panel>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-09-2017 11:39 AM

That should definitely work.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-09-2017 11:38 AM

As an alternative, you can do this instead:

... | addinfo | eval time_s = info_max_time - info_min_time
Reply
Solved! Jump to solution

DalJeanis
Legend
‎03-09-2017 11:50 AM

Upvote because for this usage, there's no reason to futz with anything else.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-09-2017 12:54 PM

The really nice thing about this option is that you might have multiple timepickers and even then, you might override all of them with earliest=; this should handle every case with no thinking/planning/upkeep.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-09-2017 11:35 AM

Whenever you get an error, you should report the error text, too.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...