Splunk Search

Converting relative time into epoch for the time range picker

Svill321
Path Finder

Good day,

Recently, I worked on a project that required me to set up a way for users to retrieve records from SQL with varying dates. I was able to set it up to run so that they can pick explicit dates to search between with an eval statement:

[dbxquery here] | eval submitdate_epoch=strptime(submit_date, "%Y-%m-%d %H:%M:%S.%N") | search submitdate_epoch>=$timetok1.earliest$ AND submitdate_epoch<=$timetok1.latest$

However, to make things easier for the user, I'd like to also include a way to pass relative time into the search, such as "now" or "7 days ago". Is there any way to do this, and if so, can you point me towards it?

Thank you.

1 Solution

niketn
Legend

Since Time Token change event does not handle tokens for time, following is the workaround to achieve this:

1) Create Time input token with token name as timetok1

  <fieldset submitButton="false">
    <input type="time" token="timetok1" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-5m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>

2) Add a dummy search to get time input tokens $timetok1.earliest$ and $timetok1.latest$. Then access the default search handler tokens $job.earliesTime$ and $job.latestTime$

  <search>
    <query>|makeresults
    </query>
    <earliest>$timetok1.earliest$</earliest>
    <latest>$timetok1.latest$</latest>
    <progress>
      <eval token="tokEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
      <eval token="tokLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
    </progress>
  </search>

PS: Use eval tag to convert String time to Epoch using strptime()
3) Use tokens tokEarliest and tokLatest in your other searches in the dashboard which are epoch time.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

isanchez
Engager

Great solution!

0 Karma

niketn
Legend

Since Time Token change event does not handle tokens for time, following is the workaround to achieve this:

1) Create Time input token with token name as timetok1

  <fieldset submitButton="false">
    <input type="time" token="timetok1" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-5m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>

2) Add a dummy search to get time input tokens $timetok1.earliest$ and $timetok1.latest$. Then access the default search handler tokens $job.earliesTime$ and $job.latestTime$

  <search>
    <query>|makeresults
    </query>
    <earliest>$timetok1.earliest$</earliest>
    <latest>$timetok1.latest$</latest>
    <progress>
      <eval token="tokEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
      <eval token="tokLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval>
    </progress>
  </search>

PS: Use eval tag to convert String time to Epoch using strptime()
3) Use tokens tokEarliest and tokLatest in your other searches in the dashboard which are epoch time.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn
Legend

I had updated my answer with two approaches (on similar idea of using an independent search as mentioned above). Please refer to that as well.

https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

kkrishnan_splun
Splunk Employee
Splunk Employee

@niketnilay Thank you so much. Your solution is very elegant.

Is there a way to do this from an independent search window as opposed to within a dashboard ?

0 Karma

niketn
Legend

@kkrishnan_splunk kkrishnanthe possibility would be to use

  | makeresults
  | fields - _time
  | addinfo
  | fields info_min_time, info_max_time
   | map search="<yourActualSearchWith$info_min_time$And$info_max_time$>"

If this does not work or help please explain a bit more on your use case.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Svill321
Path Finder

This worked beautifully. Thank you so much!

gt_dev
Explorer

I have been looking for this answer for about 3 hours today. Thank you very much!

isanchez
Engager

Great solution!

niketn
Legend

Anytime! 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...