Splunk Search

Use timepicker earliest and latest as epoch time

christoffertoft
Communicator

I have the same problem as in the link below:

[https://answers.splunk.com/answers/336929/how-can-i-get-time-picker-earliest-and-latest-epoc.html?ut...]

Where i need the times to be either human-formatted (Y-M-D H:M:S) or epoch (1510317953) .

However when i do a search that relies on the timepicker.earliest and latest values I get an error.
My search query is ... | where _time > $time.earliest$ AND _time < $time.latest$

This gives the Error in 'where' command: The operator at 'd@d AND _time < now ' is invalid.

as we can see the timepicker defaults the 30 days earliest and latest values to -30d@d and now

Speed is kind of of the essence here so I need a way to format the input values from the timepicker or to allow the search to accept the specific formats the timepicker gives me.

Also a random question; why isn't this being done automatically.. Seems very inefficient to keep converting every event between epoch, human readable and other arbitrary splunk time formats.

0 Karma
1 Solution

rjthibod
Champion

@kamlesh_vaghela's answer should work. Here is another solution that will give you two tokens you can use anywhere.

Basically, update the timepicker XML to include a change element that looks like this:

    <input type="time" token="time">
      ...
      <change>
        <eval token="time.earliest_epoch">if(isnum('earliest'),'earliest',relative_time(now(),'earliest')</eval>
        <eval token="time.latest_epoch">if(isnum('latest'),'latest',relative_time(now(),'latest')</eval>
      </change>
    </input>

That will give you the tokens time.earliest_epoch and time.latest_epoch that you can use for the filtering: ... | where _time > $time.earliest_epoch$ AND _time < $time.latest_epoch$

View solution in original post

niketn
Legend

@christoffertoft, refer to two options of getting earliest and latest time from Time Picker using dummy search i.e.

1) addinfo and
2) $job.earliestTime$ and $job.latestTime$

https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

christoffertoft
Communicator

Hi, and thanks for your reply. This unfortunately does not work. See the comment i posted to @kamlesh_vaghela's answer.

0 Karma

niketn
Legend

@christoffertoft, the option with job.earliestTime and job.latestTime should have worked. I am not sure if you tried. I was able to display results for All Time using tokens those two as earliest and latest:

alt text

Following is the additional code I used to test

  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd
| timechart count
        </query>
          <earliest>$tokEarliestTime1$</earliest>
          <latest>$tokLatestTime1$</latest>
        </search>
        <option name="charting.chart">column</option>
      </chart>
    </panel>
  </row>

But no need to stress as you already have an working solution 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

rjthibod
Champion

@kamlesh_vaghela's answer should work. Here is another solution that will give you two tokens you can use anywhere.

Basically, update the timepicker XML to include a change element that looks like this:

    <input type="time" token="time">
      ...
      <change>
        <eval token="time.earliest_epoch">if(isnum('earliest'),'earliest',relative_time(now(),'earliest')</eval>
        <eval token="time.latest_epoch">if(isnum('latest'),'latest',relative_time(now(),'latest')</eval>
      </change>
    </input>

That will give you the tokens time.earliest_epoch and time.latest_epoch that you can use for the filtering: ... | where _time > $time.earliest_epoch$ AND _time < $time.latest_epoch$

andrewtrobec
Motivator

Simple, elegant, and still valid 3 years later!  Thanks 🙂

0 Karma

christoffertoft
Communicator

Hi, and thank you very much for your help. @kamlesh_vaghela's answer does not work (please see my reply above). I will try your approach next to see if it works.

0 Karma

christoffertoft
Communicator

Hi, your approach with converting the values to epoch times seems to have worked. Can you explain the logic behind it?

0 Karma

rjthibod
Champion

As of Splunk 6.3, many of the form inputs can be extended to set / unset / eval tokens based on other tokens or their new values. So this answer looks at the new value of the timepicker whenever it changes, and figures out how to convert that value to epoch time. The isnum function in the first condition checks to see if the new time values is already in epoch time form. If it is false, that means the timepicker value is set to a relative time (like -30d@d), the the relative_time function converts that to epoch time.

0 Karma

christoffertoft
Communicator

Epic, thanks alot. It was the final piece in the puzzle for my dashboard. Credits to you!

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi

Can you please try this one??

YOUR_SEARCH |  addinfo| where _time > info_min_time AND _time < info_max_time

I have used addinfo command for earliest & latest time. Please check below link for more info.

http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/Addinfo

Thanks

christoffertoft
Communicator

This does not work unfortunately. The data i pull using a base search is accelerated and indexed from 0 to +infinity. As such, any events have the infity or 0.0000 values for their mix and max times respectively.

I have gotten the time as |eval _time=report_date

but the events stretch from 0 to infinity. This means i need to be able to use the timepicker to only chose events where the report_date (_time) are in the range selected in the timepicker.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

HI @christoffertoft,

A missed search in "All Time". Can you please try below search ?

YOUR_SEARCH |  addinfo | where ((NOT (isnum(info_max_time) AND info_max_time!="+Infinity")) OR _time > info_min_time AND _time < info_max_time) 

Thanks

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...