- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Query for multi time fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Query for multi time fields
Hi Team,
We have three time fields
- Time - Indexed time( CSV file uploaded time)
- Last_uploaded - Microservices latest deployed time
- Running_since - Microservices start time
All time fields are in "%+" (Fri Apr 24 05:00:20 +08 2020) format and are in the same timezone
Below fields are getting pushed to splunk through csv file
Time,Org,Space,Microservices,State,Stack,Buildpacks,Last_uploaded,Total_instance,Running_instance,Instance_state,Running_since,Used_CPU,Used_memory_bytes,Total_memory_bytes,Used_disk_bytes,Total_disk_bytes
Please help in how to create input panel for Last_uploaded, Running_since & what would be the query for the below requirement
- How to query all microservices deployed between particular dates example ( 14th April to 16th April )
- How many microservices were started between particular days example ( 17th April to 20th April )
Tired few options but no luck luck
| eval _time=strptime(Time,"%+") | eval Latest_deployment_time=strptime(Last_uploaded,"%+") | eval Instance_start_time=strptime(Running_since,"%+")
Regards,
Thomas Mathias
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Basically, you need to turn those nasty time formats into internal formats, which if I've decoded this correctly will look like this:
| eval time_Uploaded = strptime(Last_uploaded,"%a %b %d %H:%M:%S %:::z %Y")
then compare to your datestamps, which you will have calculated in your dash but I'll put in hard code here.
| where time_Uploaded >= strptime("2020-04-14","%Y-%m-%d")
AND time_Uploaded < strptime("2020-04-17","%Y-%m-%d")
Since these aren't the event _time or _indextime, which splunk can search on using its special time references, it may be easier, dash-wise, to have a time picker kick off a null search that returns the start and end times you want in tokens, so you don't have to deal with "now" or "-1d" or any other funky time formats.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- use
stats countwith time picker - use
timechartwithrename Running_since as _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your response. I am trying with single static table panel. Based on input panel selection, it should display the result. I will have the below input panels and they are interconnected. Based on user selection, it will display the result
Time,Org,Space,Microservices,State,Buildpacks,Last_uploaded,Total_instance,Running_instance,Instance_state,Running_since
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What's your query?
I can't make query with no log.
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
