Solved: Changing how time is displayed based on user input

exocore123 · ‎06-26-2017

I have a dashboard with a range of aggregation span from 1h, 1d, 7d, 1mon. And I want to change how timestamp is displayed depending on the user input for aggregation span, something like this

eval Timestamp=case($span$="1mon", strftime(_time,"%b %Y"), $span$="1d" OR $span$="7d", strftime(_time,"%d %b %Y"))

However, I keep getting a mismatched ) error, not sure how to work around this.

lguinn2 · ‎06-26-2017

I don't really see a problem, but I wonder if it is something to do with the token. Try this and see what happens:

eval Timestamp=case("$span$"="1mon", strftime(_time,"%b %Y"),
                    "$span$"="1d" OR "$span$"="7d", strftime(_time,"%d %b %Y") )

View solution in original post

lguinn2 · ‎06-26-2017

I don't really see a problem, but I wonder if it is something to do with the token. Try this and see what happens:

eval Timestamp=case("$span$"="1mon", strftime(_time,"%b %Y"),
                    "$span$"="1d" OR "$span$"="7d", strftime(_time,"%d %b %Y") )

cmerriman · ‎06-26-2017

Or possible $span|s$ to encase the token value in quotes.
Is that where your search breaks? When you run everything before that eval it works?

exocore123 · ‎06-27-2017

Yep, seems like I had to put the input in quotes, thank you

Changing how time is displayed based on user input

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor