Convert timepicker token to epoch time for eval, r...

dojiepreji · ‎01-22-2019

I need to compare my timepicker values (timePicker token) to the field date_e which returns an epoch value.

I convert my timepicker to epoch using if command.

My search goes something like this,

| eval e = if(isnum($timePicker.earliest$), $timePicker.earliest$, relative_time(now(), "$timePicker.earliest$")) 
| eval l = if(isnum($timePicker.latest$), $timePicker.latest$, relative_time(now(), "$timePicker.latest$")) 
| where date_e>= e AND date_e<= l

This is fine if the user selects two dates using 'Between' in timepicker.
However, if the user chooses 'Month to Date', I encounter an error

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '@mon), @mon, relative_time(now(), "@mon"))".

Can anybody please help me out?

BernardEAI · ‎06-03-2021

I have been trying to get this right for a while. I used to make use of this format:

<eval token="earliest_epoch">if(isnum($p2_period.earliest$),$p2_period.earliest$,relative_time(now(),$p2_period.earliest$))</eval>

I had that code in a dummy search that would run when I hit the "Submit" button, and in the <change> tag for the time input.

This seemed to work well, until it stopped working (we upgraded to Splunk 8 from 7 and I think this is when it stopped working. This is reported here as well, the problem revolves around the isnum check: https://community.splunk.com/t5/Splunk-Enterprise/xml-Check-if-a-value-is-a-number/m-p/554255#M5996 )

I eventually decided to go over to javascript to solve this. I now have the following code in the "submit" event (gets triggered on the "Submit" button click):

    service.oneshotSearch("| makeresults | eval time=\"" + earliest_time + "\" \
                           | append [ | makeresults | eval time=\"" + latest_time + "\"] \
                           | eval time_e = if(isnum(time),time,relative_time(now(),time))"   , {
        output_mode: "JSON"
    }, function (err, results) {
        if (err) {
            console.error(err);
        } else {   
            earliest_time_e = results.results[0]['time_e']
            console.log(earliest_time_e );
            latest_time_e = results.results[1]['time_e']
            console.log(latest_time_e );

            var now_time_e = Math.round(Date.now()/1000)
            var diff_time_e = now_time_e - earliest_time_e
            
            //set any tokens needed   
            mvc.Components.getInstance('submitted').set('earliest_time_e',earliest_time_e );
            
            // rest of code.......
  

            }

        }});

The oneShotSearch executes this type of search (this one adds an eval to produce a 2 week plus and 2 week minus time as well):

| makeresults | eval time=1620079200 
| append [ | makeresults | eval time=1622671200]

| eval time_e = if(isnum(time),time,relative_time(now(),time))
| eval time_min_2w = relative_time(time_e,"-2w")
| eval time_plus_2w = relative_time(time_e,"+2w")

In this way you can to any type of time manipulation and set your tokens, allowing a lot of flexibility.

p_gurav · ‎01-23-2019

Try using :

your search ..| appendcols  [|gentimes start=-1 | addinfo | table info_max_time, info_min_time] | where date_e>= info_min_time AND date_e<= info_max_time

dojiepreji · ‎01-23-2019

I'm sorry but I'm not using timepickers to filter the search itself, which is why I don't think I can use info_min_time and info_max_time. I'm only using the timepicker to compare it to date_e. My time range for this table is set to 'Global'.

Convert timepicker token to epoch time for eval, regardless of timepicker combination

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!