Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Custom time in search bar is not working

gaspnico57
Engager
‎07-05-2019 12:29 AM

Hello everyone!

I am trying to change the time range in the search bar but i am not able to get the time i want...
Here is a screenshot of what i get :
alt text

Do you have any idea of why i get these results?
In my query i do : eval _time=my_unix_time_column | eval nowstring=strftime(now(), "%Y-%m-%d")
My highest value : 1558539900 and my lowest one : 1545145873

Thank you very much!

Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎07-06-2019 03:05 PM

Fix your props.conf to set _time to the correct value. In the meantime, set your Time picker to something appropriately large and then do your search and tack on this:

... | where YourOtherTimeField >= relative_time(now(), "-90d")
0 Karma
Reply

niketn
Legend
‎07-05-2019 05:34 AM

@gaspnico57 please add more details to your question. What is it that you are trying to do and what is not working as expected.

Based on the query snippet, you are overriding _time with my_unix_time_column and showing current day as string time with YYYY-mm-dd format. It does not say what is the issue you are facing.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

gaspnico57
Engager
‎07-05-2019 05:41 AM

Hello @niketnilay,
Thank you for your answer!

I would like to have these result but only for the 90 last days and as you can see, i have _time values from 2018.

It's not normal, is it?

0 Karma
Reply

niketn
Legend
‎07-05-2019 06:00 AM

The time range picker value applies to Event Timestamp field which is _time. If you want to apply Time Range Filter to my_unix_time_column you should enable the same through props.conf while indexing the data by picking up the correct timestamp for the event.

As a workaround (non-efficient) you would need to get the epoch time from Time range picker and apply the same to my_unix_time_column field in your data. However, the search query would need to run for all time or with buffer time to ensure that all events with my_unix_time_column in the range of Time Picker earliest and latest epoch is pulled from index.

Refer to one of my older answers to set earliest and latest epoch time from Time Range filter. https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...