Solved: How to plot based on customized time picker for Sp...

himanshu_idt · ‎06-27-2019

I have one column in search name timerange which shows time at with that event happened. I want to plot the graph (timechart) but on the dashboard, I want to use time picker which queries the time from my timerange column.

So, When I wrote the Splunk search query to get the data from the indexes.
I get the following results
_time(time at which vales got index),Total,Stable,Time(time at which the event happened)
1. 2019-06-25 23:56 , 100,100,2019-06-05 05:07
2. 2019-06-25 23:56,500,500,2019-06-05 05:08
3. 2019-06-25 23:56,550,570,2019-06-05 05:09(for every minute)
10000+ entries
_time column has the same values.
if I use the above search query to create a dashboard and in time picker if I select data between 2019-06-05 - 2019-06-06 there are not values to plot. But if I select data 2019-06-25 - 2019-06-26 it shows that event.

So basically I want to map my time picker to the time values at which event happened not the time at which values got indexed.

himanshu_idt · ‎07-01-2019

Haha @woodcock , Thank you @niketnilay and @woodcock for your comments.
I solved it by doing search queries my Time column. Take the input from time token in time picker and converted the earliest and latest field into seconds/epochs and ran the search based on epochs.

View solution in original post

himanshu_idt · ‎07-01-2019

Haha @woodcock , Thank you @niketnilay and @woodcock for your comments.
I solved it by doing search queries my Time column. Take the input from time token in time picker and converted the earliest and latest field into seconds/epochs and ran the search based on epochs.

woodcock · ‎07-01-2019

Be sure to click Accept on your answer!

niketn · ‎07-02-2019

@himanshu_idt yes this was one of the options proposed in the answer link I had posted below. If that answer has helped do upvote for it to be helpful for others facing this issue.

Do also read the thread as All Time time picker selection needs additional attention 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

woodcock · ‎07-01-2019

The right thing to do is to fix _time. In other words, do your time-extraction correctly. It appears that you have a lazy Splunk admin and he used DATETIME_CONFIG = CURRENT in props.conf for your sourcetype. Have him go back and do his job right.

niketn · ‎06-29-2019

@himanshu_idt right approach would be to fix the time while indexing data so that it pics time from Time field in your data rather than setting it as indexed time (current time). Refer to Splunk docs for setting up props.conf for correct timestamp recognition: https://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition

However, there would be an alternate approach to set a token for filtering Time values using string time based on timepicker selection using an independent search. Refer to one of my older answers as to how we can set string time token of specific format using this approach: https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎06-29-2019

@himanshu_idt you would need to add more details for the community to assist you better. Do you Time displayed in table which you want to use for drilldown? Please add example of what you currently have and what is your use case.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

himanshu_idt · ‎06-29-2019

@niketnilay I have added more details.

How to plot based on customized time picker for Splunk dashboards

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life