Splunk Search

can some one explain me the function of the below code in specific

pavanraghav
Explorer

| eval created_upper_token=if("$time_token.latest$"="" OR like("$time_token.latest$","%now%"),"@s","$time_token.latest$")
| eval created_lower_token=if("$time_token.earliest$"="",0,"$time_token.earliest$")
| replace "rt*" with * in created_upper_token
| replace "rt*" with * in created_lower_token
| eval created_lower_bound = if(isnum(created_lower_token), created_lower_token, relative_time(now(),created_lower_token))
| eval created_upper_bound = if(isnum(created_upper_token), created_upper_token, relative_time(now(),created_upper_token))
| where order_date >= created_lower_bound AND order_date <= created_upper_bound|

Tags (1)
1 Solution

arjunpkishore5
Motivator

I've added comments to your query to help understand each line.

    | eval created_upper_token=if("$time_token.latest$"="" OR like("$time_token.latest$","%now%"),"@s","$time_token.latest$") 
`comment("This is setting created_upper_token to @s indicating last second if the value of $time_token.latest$ is now. If not use the same value as $time_token.latest$")` 
    | eval created_lower_token=if("$time_token.earliest$"="",0,"$time_token.earliest$") 
`comment("This is setting created_lower_token to 0 indicating 'All Time' if the value of $time_token.earliest$ is blank. If not use the same value as $time_token.latest$")`
    | replace "rt*" with in created_upper_token 
`comment("Replacing anything with rt* with some value in created_upper_token. Your formatting has removed some text, so not sure what the replacement value is")`
    | replace "rt" with * in created_lower_token  
`comment("Replacing anything with rt with * in created_lower_token. Your formatting may have removed some text, so not sure if the replacement value is *")`
    | eval created_lower_bound = if(isnum(created_lower_token), created_lower_token, relative_time(now(),created_lower_token)) 
`comment("Convert to absolute epoch time if the value is time specifier")`
    | eval created_upper_bound = if(isnum(created_upper_token), created_upper_token, relative_time(now(),created_upper_token)) 
`comment("Convert to absolute epoch time if the value is time specifier")`
    | where order_date >= created_lower_bound AND order_date <= created_upper_bound 
`comment("Filter")`

This basically looks like getting the time_token from a time input in a dashboard. The code is basically converting the values selected by the uses in the dashboard to epoch times so that it can be used in the filter. This is done to accommodate filters such as "Last 7 days" or "Month to Date" etc.

The intention is to filter the results based on order_time instead of _time

View solution in original post

0 Karma

woodcock
Esteemed Legend

Let's break it down line by line:

| eval created_upper_token=if("$time_token.latest$"="" OR like("$time_token.latest$","%now%"),"@s","$time_token.latest$")
| eval created_lower_token=if("$time_token.earliest$"="",0,"$time_token.earliest$")

Those 2 lines capture the value of theTime picker.

| replace "rt*" with * in created_upper_token
| replace "rt*" with * in created_lower_token

Those 2 lines convert from realtime to NOT realtime.

| eval created_lower_bound = if(isnum(created_lower_token), created_lower_token, relative_time(now(),created_lower_token)) 
| eval created_upper_bound = if(isnum(created_upper_token), created_upper_token, relative_time(now(),created_upper_token))

If the values in the Time picker were integers, then use them. If they were relative time modifiers, then convert them to integers

| where order_date >= created_lower_bound AND order_date <= created_upper_bound|

That line filters the results set to those events between the Time picker bounds.

arjunpkishore5
Motivator

I've added comments to your query to help understand each line.

    | eval created_upper_token=if("$time_token.latest$"="" OR like("$time_token.latest$","%now%"),"@s","$time_token.latest$") 
`comment("This is setting created_upper_token to @s indicating last second if the value of $time_token.latest$ is now. If not use the same value as $time_token.latest$")` 
    | eval created_lower_token=if("$time_token.earliest$"="",0,"$time_token.earliest$") 
`comment("This is setting created_lower_token to 0 indicating 'All Time' if the value of $time_token.earliest$ is blank. If not use the same value as $time_token.latest$")`
    | replace "rt*" with in created_upper_token 
`comment("Replacing anything with rt* with some value in created_upper_token. Your formatting has removed some text, so not sure what the replacement value is")`
    | replace "rt" with * in created_lower_token  
`comment("Replacing anything with rt with * in created_lower_token. Your formatting may have removed some text, so not sure if the replacement value is *")`
    | eval created_lower_bound = if(isnum(created_lower_token), created_lower_token, relative_time(now(),created_lower_token)) 
`comment("Convert to absolute epoch time if the value is time specifier")`
    | eval created_upper_bound = if(isnum(created_upper_token), created_upper_token, relative_time(now(),created_upper_token)) 
`comment("Convert to absolute epoch time if the value is time specifier")`
    | where order_date >= created_lower_bound AND order_date <= created_upper_bound 
`comment("Filter")`

This basically looks like getting the time_token from a time input in a dashboard. The code is basically converting the values selected by the uses in the dashboard to epoch times so that it can be used in the filter. This is done to accommodate filters such as "Last 7 days" or "Month to Date" etc.

The intention is to filter the results based on order_time instead of _time

0 Karma

pavanraghav
Explorer

Hi arjun ,
thanks a lot for the explanation.

Can you please help me explaining the below code too :

| eval e="$time_token.earliest$", l="$time_token.latest$"| eval e=case(match(e,"^\d+$"),e,e="" OR e="now" , "0" , true(), relative_time(now(),e)) | eval l=case(match(l,"^\d+$"),l,l="" OR l="now" , "2145916800", true(), relative_time(now(),l))| eval e=tonumber(e) , l=tonumber(l) | where order_date >= e AND order_date <= l

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...