I can’t make my time range picker pick my time field.

When you are working with Hadoop using Hunk or when you are working with Splunk and the time field you want to work with is not _time, you may want to use the time picker in a dashboard with some other time field. You may have the same problem when the current _time field is not the time field you want to use for the current search.

Here is a solution you might use to make time selections work in every case including in panels.

| inputlookup SampleData.csv
| eval _time=strptime(claim_filing_date,"%Y-%m-%d")
| sort - _time
| addinfo
| where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")

Let’s Break this search down into its parts.

| inputlookup SampleData.csv

This is an example of pulling in data directly from a .csv file. It behaves just like it would from one of your searches against a Hadoop file that has no _time value.

Add enough filters to the search so that you aren’t working with the entire data set. In Hadoop, this could be a serious situation leading to copying literally all of your data to a sort. Remember filter first > munge later. Get as specific as you can and then the search will run in the least amount of time. Do this by filtering data like this

index=myindex something=”thisOneThing” someThingElse=”thatThing” myTimeField=”06-26-2016”

| eval _time=strptime(claim_filing_date,"%Y-%m-%d")

This converts the date in “claim_filing_date” into epoch time and stores it in “_time”.

Learn to specify Date and Time variables here.

http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Commontimeformatvariables

| sort - _time

This sorts all of the records by time since they weren’t in that order before.

| addinfo

This statement adds info_min_time and info_max_time fields which are the min and max of the new values for _time that you have. The statement is needed for the time control in reports and panels to make it work properly.

   | where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")

This is where the magic happens. Here we are filtering the results based on comparisons between your _time field and the time range you created with the time picker.

Notice that we also had to compare against “+infinity”. This is what Splunk uses for the info_max_time field when you select all time on the time picker. When you move this Splunk search to a Splunk panel, we will have to do a few more things before this works as you expect.

For the purpose of this demonstration, we need to format the output to make it easier to understand the results.

| eval Start_Time=strftime(info_min_time,"%m/%d/%y")
| eval Stop_Time=strftime(info_max_time,"%m/%d/%y")
| table claim_filing_date _time Start_Time info_min_time
        Stop_Time info_max_time "Provider Name"

That’s it, now you have a working search, try it with your data………

Next, you may want to put this into a Dashboard Panel which in this case would look like this.

Now lets add a time picker and a start button.

Finally there are two things we have to do with the panel to make it work so click edit source. 

We are going to provide the time evaluation in our where clause so we don’t need the token=”field1″ statement. So remove this…….

Next, we need to remove the earliest and latest clauses from just after the query.

That’s it save the changes and enjoy the results.

One last thing. These statements could be added to a macro which you would call like this in your search.

`setsorttime(claim_filing_date, %Y-%m-%d)`

To do this, you define the macro, here is the link for building macros…

http://docs.splunk.com/Documentation/Splunk/6.4.3/Knowledge/Definesearchmacros

In the process, you will make these changes to macros.conf

[setsorttime]
 args = sortdatetime, datetimeformat
 definition = eval _time=strptime($sortdatetime$,"$datetimeformat$") 
     | sort _time 
     | addinfo 
     | where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")

Then your search from above would look like this.

| inputlookup SampleData.csv | `setsorttime(claim_filing_date, %Y-%m-%d)` 
| eval Start_Time=strftime(info_min_time,"%m/%d/%y") 
| eval Stop_Time=strftime(info_max_time,"%m/%d/%y") 
| table claim_filing_date _time Start_Time info_min_time 
        Stop_Time info_max_time "Provider Name"

OK lets try this now…….

Good, you’re doing great. Now maybe you would like to add a Radio Button to allow you to pick the field you want to sort on.

In the panel editor, add a drop down and let’s give it a Label of “Pick a Date” and a Token Name of selected_date_field.

Now we can add a few fields to select from. Note that we are simply adding field names and a pretty description of each field.

Now we need to add the Radio Button variable to the search string. Click Edit Search like this.

You can see where I have inserted $selected_date_field$. This is the magic sauce which will choose the field to use for the Time Picker.

Also notice that I we added the new fields and values to the report to make it easier to understand what the Panel is doing.

So this should look something like your very own masterpiece.

That’s it, now you can sort on any time field you have and use it for the time pickin anytime and anywhere you want.

Use Knowledge Wisely.

SplunkYoda

If you feel the Force,? Send me a note.

----------------------------------------------------
Thanks!
David Clawson