Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use date-time field from event as span for search in Dashboard

tkwaller_2
Communicator
‎04-04-2018 08:01 AM

Hello

I have a field in my events that is named info_date_resReviewed in format "2017-09-24 00:00:00" and I'd like to use it as search delimiters. So really you could enter an earliest/latest "info_date_resReviewed" and get results based on the span of this field.

So
earliest ="info_date_resReviewed" and latest="info_date_resReviewed"

I was thinking dropdowns with available "info_date_resReviewed" and then using the tokens but havent gotten it to work. Any suggestions?

Thanks!

0 Karma
Reply

adonio
Ultra Champion
‎04-04-2018 08:18 AM

hello there,
splunk can use this format: "10/5/2016:20:00:00" for earliest= and latest=
first, modify your time to match this format using strptime or convert or other method.
than you can create a form input for earliest and latest, have the form inputs for latest dynamic and present only values greater than the value you chose for earliest to avoid conflict
create a dashboard with search/es, panels (or base search) that starts with earliest="$earliest$" latest="$latest$" and add your queries.

hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...