Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use date-time field from event as span for search in Dashboard

tkwaller_2
Communicator
‎04-04-2018 08:01 AM

Hello

I have a field in my events that is named info_date_resReviewed in format "2017-09-24 00:00:00" and I'd like to use it as search delimiters. So really you could enter an earliest/latest "info_date_resReviewed" and get results based on the span of this field.

So
earliest ="info_date_resReviewed" and latest="info_date_resReviewed"

I was thinking dropdowns with available "info_date_resReviewed" and then using the tokens but havent gotten it to work. Any suggestions?

Thanks!

0 Karma
Reply

adonio
Ultra Champion
‎04-04-2018 08:18 AM

hello there,
splunk can use this format: "10/5/2016:20:00:00" for earliest= and latest=
first, modify your time to match this format using strptime or convert or other method.
than you can create a form input for earliest and latest, have the form inputs for latest dynamic and present only values greater than the value you chose for earliest to avoid conflict
create a dashboard with search/es, panels (or base search) that starts with earliest="$earliest$" latest="$latest$" and add your queries.

hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...