I have the following Splunk search where I have Search results working with tokens from another Dashboard. I am trying to compare the truncated date of DAY but I can not get it to work properly.
MY SEARCH | eval Status = if(isnull(REJECT_REASON), "No Status", REJECT_REASON)
| eval DATE_UPDATED = strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval DAY = strftime(_time, "%b %d, %Y")
| stats values(MEMBER_NBR) as MEMBER_NBR,
latest(Status) as STATUS, values(DATE_SENT) as "DATE_SENT",
max(DATE_UPDATED) as DATE_UPDATED by CORRELATIONID
|where STATUS = if("$tok_status$"="", STATUS, "$tok_status$")
and MEMBER_NBR = if("$tok_member$"="ALL", MEMBER_NBR, "$tok_member$")
and DAY = if("$tok_day$"="ALL", DAY, "$tok_day$")
|sort limit=0 CORRELATIONID, DATE_UPDATED asc
In my where clause STATUS and MEMBER_NBR are working fine but now that I added DAY, there are no search results returned.
The token for "tok_day" is coming in as:
form.tok_day=Mar%2020%2C%202024
I'm not sure how the token came to be encoded (perhaps it was the result of a drilldown), but a workaround is to decode the token before using it.