Splunk Search

How do I compare the log date with the time picker date?

twh1
Communicator

I want to check the records for which CREATE_TIME matches based on my date selection from time picker control. Currently, I am using the below query, which is always checking only for today's date.

 index=os_na sourcetype="oracle_os:healthcheck" "ADR Home =" | multikv | table HOSTNAME INCIDENT_ID PROBLEM_KEY CREATE_TIME TIMESTAMP | dedup INCIDENT_ID | eval create_day=substr(CREATE_TIME, 1, 10) | eval now_day = strftime(now(), "%m/%d/%Y") | where INCIDENT_ID!=" " AND create_day==now_day

Could you please help me to get desired result.

0 Karma

varun8159
Explorer

Do you need earliest and latest token values of Time range picker to be used as filter for CREATE_TIME?

0 Karma

twh1
Communicator

Yes @varun8159 . I want to compare if date date range is selected as 24th May to 25th May. I want to display the records, for which we have CREATE_TIME in between 24th May to 25th May.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @twh1

As per your requirement to filter event on the basis of selected time picker which needs to be applied on CREATE_TIME field I have used addinfo command. http://docs.splunk.com/Documentation/Splunk/7.1.3/SearchReference/Addinfo

Please try this?

YouR_SEARCH
| eval created_time=strptime(CREATE_TIME,"%Y-%m-%d %H:%M:%S.%N") 
| addinfo 
| where (info_max_time="+Infinity" OR (created_time<info_max_time AND created_time>info_min_time))

My sample search.

| makeresults 
| eval _raw="
INCIDENT_ID          PROBLEM_KEY                                                 CREATE_TIME                              
 -------------------- ----------------------------------------------------------- ---------------------------------------- 
 102753               ORA 15064                                                   2018-05-24 15:38:50.242000 -04:00       
 107689               ORA 29740                                                   2018-05-24 17:04:00.414000 -04:00       
 112801               ORA 32701                                                   2018-05-24 20:59:14.420000 -04:00 
 " 
| multikv 
| eval created_time=strptime(CREATE_TIME,"%Y-%m-%d %H:%M:%S.%N") 
| addinfo 
| where (info_max_time="+Infinity" OR (created_time<info_max_time AND created_time>info_min_time))

Thanks

0 Karma

twh1
Communicator

Hi @kamlesh_vaghela ,
I tried above option and selected date range as 24th May but not getting any result.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @twh1

if you executing my given search then you have to select 2018-05-24 date to get data.

0 Karma

twh1
Communicator

Hi @kamlesh_vaghela ,
I have selected the date range for which I have data, but still no data coming. (i.e. create date have data on 24th May to 27th May and I selected date as 24th May 00:00 - 24:00)

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@twh1

Can you please share sample data for | table HOSTNAME INCIDENT_ID PROBLEM_KEY CREATE_TIME TIMESTAMP?

Do CREATE_TIME and TIMESTAMP be same?

0 Karma

twh1
Communicator

Hi @kamlesh_vaghela ,

you can find the same at below link.

https://answers.splunk.com/answers/685745/how-do-you-get-tabular-event-with-field-value-pair.html

CREATE_TIME and TIMESTAMP is different times.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...