I have one column in search name timerange which shows time at with that event happened. I want to plot the graph (timechart) but on the dashboard, I want to use time picker which queries the time from my timerange column.
So, When I wrote the Splunk search query to get the data from the indexes.
I get the following results
_time(time at which vales got index),Total,Stable,Time(time at which the event happened)
1. 2019-06-25 23:56 , 100,100,2019-06-05 05:07
2. 2019-06-25 23:56,500,500,2019-06-05 05:08
3. 2019-06-25 23:56,550,570,2019-06-05 05:09(for every minute)
10000+ entries
_time column has the same values.
if I use the above search query to create a dashboard and in time picker if I select data between 2019-06-05 - 2019-06-06 there are not values to plot. But if I select data 2019-06-25 - 2019-06-26 it shows that event.
So basically I want to map my time picker to the time values at which event happened not the time at which values got indexed.
Haha @woodcock , Thank you @niketnilay and @woodcock for your comments.
I solved it by doing search queries my Time column. Take the input from time token in time picker and converted the earliest and latest field into seconds/epochs and ran the search based on epochs.
Be sure to click Accept
on your answer!
@himanshu_idt yes this was one of the options proposed in the answer link I had posted below. If that answer has helped do upvote for it to be helpful for others facing this issue.
Do also read the thread as All Time time picker selection needs additional attention 🙂
The right thing to do is to fix _time
. In other words, do your time-extraction correctly. It appears that you have a lazy Splunk admin and he used DATETIME_CONFIG = CURRENT
in props.conf
for your sourcetype
. Have him go back and do his job right.
@himanshu_idt right approach would be to fix the time while indexing data so that it pics time from Time
field in your data rather than setting it as indexed time (current time). Refer to Splunk docs for setting up props.conf for correct timestamp recognition: https://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition
However, there would be an alternate approach to set a token for filtering Time
values using string time based on timepicker selection using an independent search. Refer to one of my older answers as to how we can set string time token of specific format using this approach: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html
@himanshu_idt you would need to add more details for the community to assist you better. Do you Time displayed in table which you want to use for drilldown? Please add example of what you currently have and what is your use case.
@niketnilay I have added more details.