Hi,
Can you please help me to understand how to use the time input token range for the below scenarios? I'm having issues dealing with the time range filter in dashboard query.
Oracle table added to splunk using DBconnect
ProviderID Booked_Date Time Visit_Type
1 11/1/2018 10AM Office
1 11/1/2018 11AM Telephone
2 11/2/2018 10AM Telephone
3 11/5/2018 3PM Office
Look up crated to get Name for provider ID that is working good with static query.
index="booking_history" | dbxlookup lookup=PROVIDER_LOOKUP | eval myDate=strptime(BOOKED_DATE, "%Y-%m-%d")
| where myDate=strptime("11/1/2018", "%Y-%m-%d") | chart count(VISIT_TYPE_CID) over APPT_DATE by VISIT_TYPE_NAME
index="booking_history" | dbxlookup lookup=PROVIDER_LOOKUP | eval myDate=strptime(BOOKED_DATE, "%Y-%m-%d")
| where myDate>=strptime("$time_input.latest$", "%Y-%m-%d") AND myDate<=strptime("$time_input.latest$", "%Y-%m-%d") | chart count(VISIT_TYPE_CID) over APPT_DATE by VISIT_TYPE_NAME
Note: Getting long integers when trying to retrieve "time_input" from UI.
Thanks.
If you're seeing long integers then you're seeing epoch timestamps. You don't need to put them through strptime()
, they already have the unit/format strptime()
would return. You can compare them to myDate
directly.
Side note, you're using $time_input.latest$
twice. You probably want $time_input.earliest$
for the first comparison.
Thanks martin for the response,I tweaked the query to use strpttime() and strftime() in right places.It's working good.Here is the final query used.
index="booking_history" | dbxlookup lookup=PROVIDER_LOOKUP |eval earlyDate=strftime("$time_range.earliest$", "%Y-%m-%d")| eval latestDate=strftime("$time_range.latest$", "%Y-%m-%d")| eval apptDate=strptime(APPT_DATE, "%Y-%m-%d %H:%M:%S")|eval apptDate1=strftime(apptDate, "%Y-%m-%d")|where apptDate1>=earlyDate AND apptDate1<=latestDate |table APPT_DATE VISIT_TYPE_CID VISIT_TYPE_NAME earlyDate latestDate apptDate1 | chart count(VISIT_TYPE_CID) over apptDate1 by VISIT_TYPE_NAME