topic Re: How to use Time Picker(Time range) in "inputlookup"? in Splunk Search

How to use Time Picker(Time range) in "inputlookup"?

sbimizry — Tue, 30 Jul 2019 13:15:05 GMT

Hi,
How to i must use time range earliest=-24h@h latest=now() in search | inputlookup lookup. I tried to do so | inputlookup lookup | search earliest=-24h@h latest=now(), but this not worked.

Re: How to use Time Picker(Time range) in "inputlookup"?

gcusello — Tue, 30 Jul 2019 13:43:17 GMT

Hi sbimizry,
if you need to have _time, you should use a summary index not a lookup.
Bye.
Giuseppe

Re: How to use Time Picker(Time range) in "inputlookup"?

sbimizry — Tue, 30 Jul 2019 14:03:56 GMT

Can I do without him? If 'yes', then how?

Re: How to use Time Picker(Time range) in "inputlookup"?

gcusello — Tue, 30 Jul 2019 14:11:59 GMT

you should save in your lookup a timestamp in epochtime and then modify searches, but it isn't so easy.
Bye.
Giuseppe

Re: How to use Time Picker(Time range) in "inputlookup"?

woodcock — Tue, 30 Jul 2019 14:54:14 GMT

Like this:

| inputlookup lookup
| addinfo
| where (<Your Time Field Name Here> >= info_min_time AND <Your Time Field Name Here> <= info_max_time)

Re: How to use Time Picker(Time range) in "inputlookup"?

jitendragupta — Wed, 30 Sep 2020 01:33:10 GMT

If you want to use earliest and latest mandatorily in your search, push your data to index. In setting -> Add Data -> Upload, select your CSV file. Now _time field value will be the same as timestamp value in your CSV file. After this, select an index or create a new index and add data and start searching.

OR if you want to use inputlookup, use this code at the start of query:

| inputlookup <lookup name>.csv | eval summarydateformat=round(strptime(<time-field>,"%m/%d/%y"),0) | where (summarydateformat >="$time_tok1.earliest$" and summarydateformat <="$time_tok1.latest$")

Replace time-field with the timestamp of your CSV file and time format accordingly. Add a date picker with token name as time_tok1. Add "$time_tok1.earliest$" and "$time_tok1.latest$" in your searches. But in this approach u will not be able to select "last 24 hr", "last 30 days" etc. U can only select To and From date from the date picker.

Re: How to use Time Picker(Time range) in "inputlookup"?

jnudell_2 — Wed, 30 Sep 2020 01:34:53 GMT

Hi @sbimizry ,

If you have not included a time value anywhere in your lookup, then you cannot do this. Lookup files are basically state tables that the owner defines and updates. This means that the owner also defines which fields to include in the lookup, which may or may not (most do not) have a field that references a time value. Even if it DOES reference a time value, it may not be the time value you are thinking of. You would need some logic that executes when you update / create your lookup to add a time value that equates to the execution time of the creation / update of the lookup. Once you have a time field, you can re-map it to the _time field, which should allow you to use search earliest=-24h@h (you don't need latest=now(), Splunk assumes that if you don't provide a latest= statement).

If you HAVE included a time field in your lookup then you can also use @woodcock 's solution above:

 | inputlookup lookup

 | addinfo

 | where ( >= info_min_time AND  <= info_max_time)

I hope this information provides you with your answer.

Re: How to use Time Picker(Time range) in "inputlookup"?

vgtk4431 — Wed, 20 Nov 2019 17:31:21 GMT

We faced an issue with this solution : We need to filter a big time based KVSTore (several millions of lines)
Doing the addinfo/where routes was not a success as it loads everything via the inputlookup then filtering.

The solution we've found is has below :

| inputlookup lookup where 
[| makeresults 
| addinfo 
| table info_min_time 
| format "" "" "" "" "" "" 
| rex field=search "\"(?<search>[^\"]+)\"" ] AND _time<= 
[| makeresults 
| addinfo 
| table info_max_time 
| eval info_max_time=if(info_max_time="+Infinity",2999999999,info_max_time)
| format "" "" "" "" "" "" 
| rex field=search "\"(?<search>[^\"]+)\""]

There may be an easier way to use the format but i'm not every good with this command 🙂

Re: How to use Time Picker(Time range) in "inputlookup"?

splunksan — Fri, 02 Oct 2020 21:34:31 GMT

@woodcock approach worked. thanks!

Re: How to use Time Picker(Time range) in "inputlookup"?

anm_mporter — Tue, 27 Jul 2021 14:14:08 GMT

This is super useful, so I made a macro out of it:

[filter_lookup_time(1)] args = TIME_FIELD definition = ($TIME_FIELD$ >= [ makeresults \ | addinfo \ | return $info_min_time \ ] $TIME_FIELD$ <= [makeresults \ | addinfo \ | eval max_time=if(typeof(info_max_time) == "Number",info_max_time,2147483647) \ | return $max_time])

You use it like this (assumes "my_lookup" has a "ts" field in epoch format):

|inputlookup my_lookup where `filter_lookup_time(ts)`

Re: How to use Time Picker(Time range) in "inputlookup"?

Kiran_Gowda — Tue, 22 Aug 2023 13:26:13 GMT

Hi @jnudell_2 ,

Can you please help with "You would need some logic that executes when you update / create your lookup to add a time value that equates to the execution time of the creation / update of the lookup."

We have similar requirement, where we need to capture the 'time' when 'SUBMIT' button is clicked on a dashboard.

Regards,

Kiran

Re: How to use Time Picker(Time range) in "inputlookup"?

anm_mporter — Tue, 22 Aug 2023 17:39:52 GMT

The submit button doesn't generate an event you can subscribe to. Each element has its own change monitoring via the <change> tag. The Submit button just triggers change actions for any inputs that have changed and are not already set to "search on change"

You could create search that runs whenever ANY of the form tokens change that sets a new token with the last change time.

<search> <query> | makeresults | eval last_update_ts=now() ```$TOKEN1$ $TOKEN2$ $TOKEN3$ $TOKEN4$``` </query> <earliest>-1m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> <done> <set token="last_update_ts">$result.last_update_ts$</set> </done> </search>

That same search COULD actually output to your lookup table using "last_update_ts" as the time field