Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to store $job.earliestTime$ and $job.latestTime$ values in two variables?

gcusello
SplunkTrust
SplunkTrust
‎11-17-2015 08:14 AM

Hi to all,

Does anyone know if it is possible to store $job.earliestTime$ and $job.latestTime$ in two variables?
I have to match these values with a lookup containing a list of dates in a search.

Thank you.
Bye.
Giuseppe

Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-20-2015 02:20 AM

No this solution doesn't work.
I solved storing my date list in an index instead of a lookup: in this way each item has an own timestamp and I can use them.

View solution in original post

Reply
Solved! Jump to solution

nfilippi_splunk
Splunk Employee
Splunk Employee
‎11-20-2015 12:56 PM

Not sure if this matches to you use case here, but Splunk 6.3 introduces search event handlers to access job metadata that might get you close to what you are looking for.

From a search and simple xml standpoint, it looks like this:

<search>
   <query>index=foo bar</query>
   <earliest>-60m@m</earliest>
   <latest>now</latest>

    <progress>
        <set token="myEarliest">$job.earliestTyime$</set>
        <set token="myLatest">$job.latestTyime$</set>
    </progress>
<search>

The above simple xml snippet grabs the job earliestTime/latestTime, and sets tokens based on them, making these tokens available throughout the page.

Reply
Solved! Jump to solution

usernamejpblais
Engager
‎09-06-2019 12:18 PM

Hi,

I was wondering if you had any response regarding how to change the format of those 2 variables: $job.earliestime$$joblatestime$

Thanks!

0 Karma
Reply
Solved! Jump to solution

skender27
Contributor
‎12-03-2015 06:39 AM

Hi,

And how is it possible to change the format of these two variables:
let's suppose $job.earliestime$ shows 2015-11-03T00:00:00.000+01:00

What if I needed to see only the date and no time zone (not the part T00:00:00.000+01:00)?
Is it possible?

Thanks,
Skender

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-20-2015 02:20 AM

No this solution doesn't work.
I solved storing my date list in an index instead of a lookup: in this way each item has an own timestamp and I can use them.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-17-2015 10:03 AM

Just use eval to make a copy like this:

... | eval jobEarliestTime = $job.earliestTime$ | eval jobLatestTime = $job.latestTime$ ...
Reply
Solved! Jump to solution

Muwafi
Path Finder
‎05-04-2020 06:47 PM

Hello @woodcock, you are a wonderful Splunker. I wanna thank you for all efforts you are providing here.

Regarding the $job.latestTime$ token , in case if you are choosing the preset time "All Time" from the Time Picker, the value is of the token will be null or "NaN".

So how to add a condition using eval if to force it to be eqal to now() in such case?

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎05-04-2020 07:06 PM

Time ranges(Settings » User interface » Time ranges):

Name    Label   Order   Earliest time   Latest time Owner
all_time    All time    500 0           No owner
0 Karma
Reply
Solved! Jump to solution

Muwafi
Path Finder
‎05-06-2020 07:30 AM

Thanks , I changed the Latest Time to "now" and it's working.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...