Splunk version: 6.4
Localization specifier in the URL : en_US
search 1:
earliest="01/08/2016:00:00:01" latest="01/08/2016:23:59:59" `getABC("xyz","abc123")`
search 2:
timeformat="%d/%m/%Y:%H:%M:%S" earliest="01/08/2016:00:00:01" latest="01/08/2016:23:59:59" `getABC("xyz","abc123")`
search 3:
earliest="01/08/2016:00:00:01" latest="01/08/2016:23:59:59" timeformat="%d/%m/%Y:%H:%M:%S" `getABC("xyz","abc123")`
Now search 1 is displaying the results for January 08 2016 and search 2 is displaying the results for Aug 1st. Here I'm looking for Aug 1st so search 2 is the correct format I needed.
How can I add the timeformat string to the getABC() macro so that the search 1 should display results for Augest 1st 2016?
Where getABC is a macro as follows:
tag=xTH sourcetype="hjhjhj" $username$ host=$system$ | dedup _raw | `setXYZSystemWindows` | `setXYZUsernameWindows` | search xyz_username="$username$" xyz_system="$system$" | `setXYZRiskRating` | `setXYZActivityInfosWindows` | `setXYZInfoFieldWindows` | `tabelizeActivities` | `beautifyXYZFieldnames`
Note: And if I given the timeformat in other place other than the beginning of search as shown in search 3 then the search displaying the results for January 1st 2016
So it possible to add that timeformat in the macro in such a way that the timeformat come for the beginning of the search?
Sorry for the confused English language. Please post some solution if you understand my post.
↧