Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Compare current time vs fields time

JoshuaJohn
Contributor
‎03-01-2018 11:48 AM

I have a checkbox that when ticked I want it to compare the current time vs. the time of the values in a field of the panel. It would then only show the devices that exceed the current time. If unchecked all devices show regardless of time.

alt text
static option true = strftime(_time,"%m/%d/%Y %I:%M:%S %p")
alt text (Field I want to compare to)

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

micahkemp
Champion
‎03-01-2018 06:18 PM

Here is a run anywhere dashboard that uses a recent answers post's sample data to demonstrate what I think you're looking for:

<form>
  <label>622761</label>
   <fieldset submitButton="false">
     <input type="checkbox" token="filter_expired" searchWhenChanged="true">
       <label></label>
       <choice value="yes">Check for expired</choice>
       <delimiter> </delimiter>
       <change>
         <condition value="yes">
           <eval token="checked_result_value">"Status=Expired"</eval>
         </condition>
         <condition>
           <eval token="checked_result_value">""</eval>
         </condition>
       </change>
     </input>
   </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults 
 | eval Class_Date="2018-1-1" 
 | append [| makeresults | eval Class_Date="2018-12-12"] 
 | append [| makeresults | eval Class_Date="2017-1-2"] 
 | append [| makeresults | eval Class_Date="2017-1-3"] 
 | eval class_plus_one_year = relative_time(strptime(Class_Date, "%Y-%m-%d"), "+1y")
 | eval Status = if(now() > class_plus_one_year, "Expired", "Valid")
 | search $checked_result_value$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...