![]() | table claim_filing_date _time Start_Time info_min_time | eval Stop_Time= strftime(info_max_time,"%m/%d/%y") | eval Start_Time= strftime(info_min_time,"%m/%d/%y") | inputlookup SampleData.csv | `setsorttime(claim_filing_date, %Y-%m-%d)` Then your search from above would look like this. | where _time>=info_min_time AND (_time=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity") The statement is needed for the time control in reports and panels to make it work properly. This statement adds info_min_time and info_max_time fields which are the min and max of the new values for _time that you have. This sorts all of the records by time since they weren’t in that order before. Learn to specify Date and Time variables here. This converts the date in “claim_filing_date” into epoch time and stores it in “_time”. Index=myindex something=”thisOneThing” someThingElse=”thatThing” myTimeField=”06-26-2016” Get as specific as you can and then the search will run in the least amount of time. | where _time>=info_min_time AND (_time munge later. | eval _time= strptime(claim_filing_date,"%Y-%m-%d") Here is a solution you might use to make time selections work in every case including in panels. You may have the same problem when the current _time field is not the time field you want to use for the current search. ![]() When you are working with Hadoop using Hunk or when you are working with Splunk and the time field you want to work with is not _time, you may want to use the time picker in a dashboard with some other time field.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |