|
I have events like this Here Start field has the value 1271646762 and End field has the value 1273602865 How do I make the custom field automatically change based on the earliest epoch time on Start field and latest epoch time on End field ? These events are coming from a CSV file which gets updated by cronjob. So when I search for the report with index="hobbit" I like the timerange to automatically change based on the only CSV file it indexes. I like the timerange to show something like this |
|
I really don't understand your question.... Are you trying to use the CSV events to determine the timerange of search in splunk? That seems like an odd thing to do, but it's somewhat possible using the You could try a search like:
This isn't going to reset the timerange picker in the upper right hand of the screen, if that's what you are trying to do. If you are simply trying to see
If you clarify your question, I or someone else may be able to give you a better suggestion. |
|
Are you asking for a way users can interact with those events that would be like: 'search for events between this start and endtime'? If so then you can use a workflow action. In brief, you can configure a workflow action, such that when the 'Start' field and the 'End' field are both present in any event, the user is given an option in the event menu that can be a URL (ie to flashtimeline), and in that URL you can use the Start and End field values to preset the earliest= and latest= arguments in the flashtimeline URL. Setting those arguments will correctly prepopulate the TimeRangePicker. And the URI part of your workflow action would look like this: http:///en-US/app/search/flashtimeline?q=search%20sourcetype%3Dfoo&earliest=$Start$&latest=$End$ |
