- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to change the default time range in search...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to change the default time range in search?
I have below data
LOG_DATE MSG_RECV_DATE
20160809 20160809
20160809 20160809
20160809 20160809
20160810 20160809
20160810 20160809
20160810 20160809
The Splunk time range is based on LOG_DATE
In the dashboard have the date filter, if select 20160809 it display the count as 3 instead of 6. The graph is plotted for span of 15 min for the selected date. Below is the code snippet. The root cause is it searching based on the selected date in the LOG_DATE and not in the MSG_RECV_DATE because the time range field is mapped to LOG_DATE
sourcetype=test | eval PaymentRecvDateTime= MSG_RECV_DATE.MSG_RECV_TIME | eval PaymentRecvDateTimeEpoch= strptime(PaymentRecvDateTime,"%Y%m%d%H%M%S")| bucket PaymentRecvDateTimeEpoch span=15m | stats dc(LOG_REF_ID) as PaymentCount by PaymentRecvDateTimeEpoch | search PaymentRecvDateTimeEpoch<=$ENDDATEEPOCH$ PaymentRecvDateTimeEpoch>=$STARTDATEEPOCH$ | rename PaymentRecvDateTimeEpoch AS _time |timechart span=15m sum(PaymentCount) as count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=xyz MSG_RECV_DATE>=[| makeresults | eval search=strftime(relative_time(now() , "$timepicker.earliest$"), "%Y%m%d") | fields search] MSG_RECV_DATE<=[| makeresults | eval search=strftime(relative_time(now() , "$timepicker.latest$"), "%Y%m%d") | fields search] | rest of your search here
Or try this
index=xyz [| makeresults | eval l=strftime($ENDDATEEPOCH$, "%Y%m%d") | eval e=strftime($STARTDATEEPOCH$, "%Y%m%d") | eval search="(MSG_RECV_DATE>=".e." AND MSG_RECV_DATE<=".l.")" | table search ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My drop down is MESG_RECV_DATE and not the LOG_DATE
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure I understand. Are you not using a timepicker? If you aren't can you restate what it is you're trying to do
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you wanting to have the time range picker on a dashboard (Add Input > Time) not to search on the Splunk "_time" value which is default of when the event was indexed. But that of the timestamp found within the event itself "_raw"?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
my problem is LOG_DATE is the _time field (defined in splunk) and while dashboard search I want ALL the LOG_DATE not for a particular date after selected from drop down.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
