Is it possible to connect the timestamp given in the Data set to the Splunk date picker.
Asked
Active
Viewed 1,601 times
1
Mads Hansen
- 63,927
- 12
- 112
- 147
Enoy Lu
- 13
- 4
-
So basically the data has its own Timestamp And i want to use that – Enoy Lu Apr 04 '22 at 09:31
1 Answers
1
Every event has a least one timestamp associated with it, _time, and that timestamp is what is connected to the time picker. If you want to use a different field then you'll have to filter the events yourself. Start by converting the Timestamp field into epoch form using the strptime function. Then test that value against the info_min_time and info_max_time fields provided by the addinfo command. That should yield events within the time picker window.
index=foo
```Get the time range of this search```
| addinfo
```Convert Timestamp into epoch form```
| eval ts=strptime(Timestamp, "%Y-%m-%d %H:%M:%S.%1N")
```Keep events within the selected time window```
| where (ts>info_min_time AND ts<=info_max_time)
RichG
- 9,063
- 2
- 18
- 29