A am trying to add a contextual input field to my dashboard and I seem to be having a hard time translating it into something splunk understands. The idea is to be able to use a dropdown menu to select between 0, 30, 60, 90 days. At which point all subsequent dashboards will exclude logs that have VulnerabilityPublishedDate earlier than the selection. I originally though i would give the drop down a token say $datemodifier$ and then add the below logic to each of my dashboards query's. But this does not seem to work
In the dashboard i tried this.
| eval OffsetTime = strftime(relative_time(now(),"-$datemodifier$d@d"), "%Y-%m-%d")
This is my search
index=stuff sourcetype="stuff"
| eval Epoch_Time=strptime(VulnerabilityPublishedDate, "%Y-%m-%d")
| eval stripTime=strftime(Epoch_Time, "%Y-%m-%d")
| eval OffsetTime = strftime(relative_time(now(),"-30d@d"), "%Y-%m-%d")
| where stripTime <= OffsetTime
| table Epoch_Time stripTime VulnerabilityPublishedDate OffsetTime
Sample output from this search:
1583798400.000000 2020-03-10 2020-03-10 00:00:00.0 2020-03-25
1583798400.000000 2020-03-10 2020-03-10 00:00:00.0 2020-03-25
1583798400.000000 2020-03-10 2020-03-10 00:00:00.0 2020-03-25
1583798400.000000 2020-03-10 2020-03-10 00:00:00.0 2020-03-25
1583798400.000000 2020-03-10 2020-03-10 00:00:00.0 2020-03-25
1583798400.000000 2020-03-10 2020-03-10 00:00:00.0 2020-03-25
1583798400.000000 2020-03-10 2020-03-10 00:00:00.0 2020-03-25
1583798400.000000 2020-03-10 2020-03-10 00:00:00.0 2020-03-25
1583798400.000000 2020-03-10 2020-03-10 00:00:00.0 2020-03-25
@jlovik use this instead for the offset. Convert the date modifier into seconds and subtract that from the epoch time [now()]
| eval OffsetTime = strftime(now() - ($datemodifier$ * 86400), "%Y-%m-%d")
@jlovik use this instead for the offset. Convert the date modifier into seconds and subtract that from the epoch time [now()]
| eval OffsetTime = strftime(now() - ($datemodifier$ * 86400), "%Y-%m-%d")
This is exactly what i needed to get it all together. I edited it slightly in the final search for clarity. I also missed the tool tip telling me to use $ on both side of the variable in the dashboard which was one of my issues.
| eval Epoch_Time=strptime(VulnerabilityPublishedDate, "%Y-%m-%d")
| eval Addtime=strftime(Epoch_Time + (30 * 86400), "%Y-%m-%d")
| eval Now = strftime(now(), "%Y-%m-%d")
| where Addtime < Now