I am trying to use the token passed through the time input in a dashboard to a search query. In this specific example, I am trying to do the following
|eval date=strptime($timepicker.latest$,"%H:%M")
If I select the default time as 'today' or 'yesterday', the value for timepicker is sent as @d and the eval command cannot extract the hour and minute, rather, it fails with the following
Error in 'eval' command: The expression is malformed. An unexpected character is reached at '@d,"%H:%M")'. How can I pass through the timepicker token as a converted epoch formatted time.
@kunwarjit
Here I suggest to use addinfo
search command. You will get time boundary as fields in epochtime. So you can use directly as per your need.
info_min_time
: The earliest time boundary for the search.
info_max_time
The latest time boundary for the search.
| makeresults | addinfo |eval date=strftime(info_max_time,"%H:%M")
https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Addinfo
Thanks
Coincidentally enough, code was just posted for this a few days ago here (be sure to UpVote
:
https://answers.splunk.com/answers/786365/can-some-one-explain-me-the-function-of-the-below.html#ans...
@kunwarjit
Here I suggest to use addinfo
search command. You will get time boundary as fields in epochtime. So you can use directly as per your need.
info_min_time
: The earliest time boundary for the search.
info_max_time
The latest time boundary for the search.
| makeresults | addinfo |eval date=strftime(info_max_time,"%H:%M")
https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Addinfo
Thanks
Thanks, works like a charm!