In my dashboard, I am getting the Submit_Date max and min values which are taken from the timepicker. It select the date or time range. However, when it selects last 10 days to now, it's not working. Instead of latest now()
, it's populating only now
| where Submit_Date >=$timer1.earliest$ AND Submit_Date <=$timer1.latest$
| eval now=now() | where Submit_Date >= "$timer1.earliest$" AND Submit_Date <= "$timer1.latest$"
this hack is working for me |eval now=now()
@vemurisurya, Submit_Date seems to be a date field from event. Does it contain epoch time or string time?
You would need to make sure Submit_Date to epoch time, if not use strptime()
to convert to epoch time. Also, if you are using Time Picker input for earliest and latest tokens you have to make sure it returns epoch time as well?
Refer to the following answer using earliest and latest tokens from Time Picker input as epoch time: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html
Assuming you want to use same time range picket that you've in your dashboard, to filter events by different date fields, try like this (assuming your date fields have human-readable timestamp with format %Y-%m-%d %H:%M:%S
. If it's different, update line 2 with that)
your current search
| eval filterDateEpoch=strptime('Submit_Date',"%Y-%m-%d %H:%M:%S")
| addinfo
| where filterDateEpoch>=info_min_time AND Submit_Date <=info_max_time | fields - info_min_time info_max_time info_search_time info_sid filterDateEpoch
The addinfo command add current search's time range (earliest and latest) as field info_min_time (i.e. earliest) and info_max_time (i.e. latest) with value in epoch format to all events. Line two will convert your date field to epoch value so that it can be compared.
| eval now=now() | where Submit_Date >= "$timer1.earliest$" AND Submit_Date <= "$timer1.latest$"
this hack is working for me |eval now=now()
Is the timer1 also used as time range in your dashboard search OR you use some different timerange picker for it?
All the panels are using same time picker
So do you have two time range picker in your dashboard or just one?
just one
try to add these tokens in header of tabel/panel to know what values are being set..
<title>earliest=$timer1.earliest$ and latest=$timer1.latest$</title>
Hi,
Here in the problem, in my panels time fields are different i panel has Submit_Date other one Create_date other has closed_date
_time and the filed dates are different