Hi,
Updating the Question!!
I am using Time Line app in my dashboard. If I zoom on particular time duration then it display only those events which start in that time duration.
If I select earliest Time = 11AM and latest Time = 3 PM , It wont display these events even though these are running in that duration.
(As it only display events which start between 11AM and 3PM)
Expected TimeLine (edited snapshot)
Dashboard
<viz type="timeline_app.timeline">
<query>
eventtype=mlc_live host=$host_token$ sourcetype=tool_lifecycle | eval FullCommand=ScriptName | rex field="ScriptName" "^\S+_\K(?<ScriptName>[a-zA-Z]+)" | rex field="ActivityType" "^#(?<ActivityType>[^\.]+);" | eval ActivityType=if(isNOTNULL(ActivityType),ActivityType,"NA") | eval Start = StartDate + " " + StartTime | eval End = EndDate + " " + EndTime | eval StartEpoc=strptime(Start,"%d/%m/%Y %H:%M:%S") | eval EndEpoc=strptime(End,"%d/%m/%Y %H:%M:%S") | eval Duration = round(EndEpoc - StartEpoc,0) | table _time ScriptName FullCommand Start End Duration UniqueIdentifier Status ActivityType | dedup UniqueIdentifier | search ScriptName IN ($script_name_token$) AND ActivityType IN ($activity_type_token$) AND FullCommand IN ($full_command_token$) AND Status IN ($status_token$) | convert dur2sec(Duration) AS Duration | eval Duration=Duration*1000 | eval FullCommand2=FullCommand | sort 0 $sort_chart_by_token$ | table _time $Flip_Chart$ Duration UniqueIdentifier
</query>
<earliest>$chart_selection.earliest$</earliest>
<latest>$chart_selection.latest$</latest>
</search>
</viz>
Is there any chance where we can check both start and end time while fetching the data ?
Or
this is quite complex
a) save earliest time in some temp. token
b) re - evaluate earliest time to older time say (12 hrs) , It will also include the data which started in last 12 hrs
b) if earliest time is less than temp token overright with temp token
Or is there any better option for this problem ?
Thanks
Hi agoyal,
In Splunk there must always be a Time Period that includes events, if you have another custom date_time field you can use it to filter events, but the problem is that Time Period must always be larger that the custom one.
You can solve this problem in two ways:
I hope to be clear!
I had this problem for an application and I used the time picker to choose the main Time period, then I configured two dropdowns to choose start and end time.
Bye.
Giuseppe
Thanks for reply. I have updated my question for better understanding. I tried first point even though its include old data but wont work for me.
2nd way wont feasible for me as well 😞