Splunk Dev

How to have a graph display today's data by default NOT using default time

twmoffit
Explorer

Hello

I am trying to figure out how to have my graphs display today's data based off of a field value and not the default event time stamps.

Here is my search to create the graph:

sourcetype=oracle:tablespacesize index=gwboracledb DBNAME="$dbname_filt$" TS_NAME="$ts_filt$"
| eval SNAP_DATE=strptime(SNAP_DATE,"%Y-%m-%d %H:%M:%S.%N")
| bin span=1d SNAP_DATE
| eval SNAP_DATE=strftime(SNAP_DATE,"%Y-%m-%d")
| eval today=relative_time(now(),"@d")
| search SNAP_DATE="$ts%date_filt$"
| eval USED_GB = USED_KB/1024/1024
| eval ALLOCATED_GB=ALLOCATED_KB/1024/1024
| eval FREE_GB=FREE_KB/1024/1024
| chart sum(FREE_GB) as "FREE" sum(USED_GB) as "USED" over TS_NAME
| sort limit=10 -num("USED")

As you can see, I am using the "SNAP_DATE" field as the date values in my graph. I also have a dropdown menu element on my panel that gives you the option to select a snap date to view. For some reason, using the "now()" command in the "SNAP_DATE" does not return any values. I tried using an eval line to create a "today" value but that did not seem to work at all and will be removed after posting this.
How can I make it so that there is an option in this dropdown to display today's data?

Thanks for the help

0 Karma

woodcock
Esteemed Legend

Ignore that you sort of know how to do it and pretend that you don't know anything other than what your events look like and what you need. Show us the events and describe what you need. Your existing search and description are confusing me.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi twmoffit,
you have to insert in your main search

earliest="$day$:00:00:00" latest="$day$:23:59:59"

where $day$ is the token of your dropdown.
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...