Splunk Dev

How to have a graph display today's data by default NOT using default time

twmoffit
Explorer

Hello

I am trying to figure out how to have my graphs display today's data based off of a field value and not the default event time stamps.

Here is my search to create the graph:

sourcetype=oracle:tablespacesize index=gwboracledb DBNAME="$dbname_filt$" TS_NAME="$ts_filt$"
| eval SNAP_DATE=strptime(SNAP_DATE,"%Y-%m-%d %H:%M:%S.%N")
| bin span=1d SNAP_DATE
| eval SNAP_DATE=strftime(SNAP_DATE,"%Y-%m-%d")
| eval today=relative_time(now(),"@d")
| search SNAP_DATE="$ts%date_filt$"
| eval USED_GB = USED_KB/1024/1024
| eval ALLOCATED_GB=ALLOCATED_KB/1024/1024
| eval FREE_GB=FREE_KB/1024/1024
| chart sum(FREE_GB) as "FREE" sum(USED_GB) as "USED" over TS_NAME
| sort limit=10 -num("USED")

As you can see, I am using the "SNAP_DATE" field as the date values in my graph. I also have a dropdown menu element on my panel that gives you the option to select a snap date to view. For some reason, using the "now()" command in the "SNAP_DATE" does not return any values. I tried using an eval line to create a "today" value but that did not seem to work at all and will be removed after posting this.
How can I make it so that there is an option in this dropdown to display today's data?

Thanks for the help

0 Karma

woodcock
Esteemed Legend

Ignore that you sort of know how to do it and pretend that you don't know anything other than what your events look like and what you need. Show us the events and describe what you need. Your existing search and description are confusing me.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi twmoffit,
you have to insert in your main search

earliest="$day$:00:00:00" latest="$day$:23:59:59"

where $day$ is the token of your dropdown.
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...