The where command expects a predicate expression. See Predicate expressions in the SPL2 Search Manual. In most cases you can use the WHERE clause in the from command instead of using the where command separately. Specify wildcards You can only specify a wildcard with the where command by using the like function.
This begs the question “How do I sort results in Splunk web?”
You can sort the results in the Description column by clicking the sort icon in Splunk Web. However in this example the order would be alphabetical returning results in Deep, Low, Mid or Mid, Low, Deep order.
The search also pipes the results of the eval command into the stats command to count the number of earthquakes and display the minimum and maximum magnitudes for each Description. You can sort the results in the Description column by clicking the sort icon in Splunk Web.
What is the timezone in Splunk?
US Pacific Daylight Time, the timezone where Splunk Headquarters is located. The local time is interpreted as the same time zone as the Splunk indexer where the data is indexed. Sometimes you might see a timestamp expressed as UTC-7 or UTC+3, which is UTC with the offset from GMT.
You can set a user time zone using the Splunk Web UI: navigate to Settings > Users and Authentication > Access controls > Users. This will enable users to see search results in their own time zone, although it won’t change the time zone of the event data.
How do I set the time zone for a user’s search results?
Set the time zone for a user’s search results. When you add or edit users using Splunk authentication, you can set a user time zone. Search results for that user will appear in the specified time zone. This setting, however, does not change the actual event data, whose time zone is determined at index time.
In the _time field, timezones can be changed either with the user’s timezone preferences, or with copying _time to another field name and then using eval’s strftime. Time stored at the correct epoch time in fields besides _time can be easily displayed in any timezone using eval’s strftime.
How can I get support from Splunkbase?
Customer Success Get specialized service and support Splunkbase See Splunk’s 1000+ apps and add-ons Splunk Dev Create your own Splunk apps Splexicon Support Support Portal Submit a case ticket.
Meet Splunk enthusiasts in your area Community Get inspired and share knowledge Expand & optimize Customer Success Get specialized service and support Splunkbase See Splunk’s 1000+ apps and add-ons Splunk Dev Create your own Splunk apps.
When daylight saving time is over, Pacific Standard Time (PST) is used. The difference between GMT and PST is 8 hours. In Splunk user interfaces, the values in the _timefield appear in a human-readable format in the UI. However, the values in the _timefield are actually stored in UNIX time.