Dashboards & Visualizations

Custom time in search bar is not working

gaspnico57
Engager

Hello everyone!

I am trying to change the time range in the search bar but i am not able to get the time i want...
Here is a screenshot of what i get :
alt text

Do you have any idea of why i get these results?
In my query i do : eval _time=my_unix_time_column | eval nowstring=strftime(now(), "%Y-%m-%d")
My highest value : 1558539900 and my lowest one : 1545145873

Thank you very much!

0 Karma

woodcock
Esteemed Legend

Fix your props.conf to set _time to the correct value. In the meantime, set your Time picker to something appropriately large and then do your search and tack on this:

... | where YourOtherTimeField >= relative_time(now(), "-90d")
0 Karma

niketn
Legend

@gaspnico57 please add more details to your question. What is it that you are trying to do and what is not working as expected.

Based on the query snippet, you are overriding _time with my_unix_time_column and showing current day as string time with YYYY-mm-dd format. It does not say what is the issue you are facing.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

gaspnico57
Engager

Hello @niketnilay,
Thank you for your answer!

I would like to have these result but only for the 90 last days and as you can see, i have _time values from 2018.

It's not normal, is it?

0 Karma

niketn
Legend

The time range picker value applies to Event Timestamp field which is _time. If you want to apply Time Range Filter to my_unix_time_column you should enable the same through props.conf while indexing the data by picking up the correct timestamp for the event.

As a workaround (non-efficient) you would need to get the epoch time from Time range picker and apply the same to my_unix_time_column field in your data. However, the search query would need to run for all time or with buffer time to ensure that all events with my_unix_time_column in the range of Time Picker earliest and latest epoch is pulled from index.

Refer to one of my older answers to set earliest and latest epoch time from Time Range filter. https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...