https://community.splunk.com/t5/Splunk-Search/Inputlookup-trend-for-24hrs-7-days-showing-same-graph/m-p/474923#M133523 <P>Hi Arjun</P> <P>Thanks for your response!<BR /> However the trend for last 24hrs showing similar to 7 days ( Mean even If I opt the last 24hrs in time window)<BR /> Please let me know how to pickup the last 24hrs data from the input lookup.</P> <P>Thanks</P> Wed, 06 Nov 2019 03:39:54 GMT gopiven 2019-11-06T03:39:54Z https://community.splunk.com/t5/Splunk-Search/Inputlookup-trend-for-24hrs-7-days-showing-same-graph/m-p/474921#M133521 <P>Hi experts!</P> <P>Since I am new to Splunk, I understand that we cannot use a time chart with inputlookup(?).<BR /> But I am using (outputlookup + scheduled report) concept to run every hr and using that as inputlookup in the dashboard to draw the trends for 24 hrs and 7 days.</P> <P>Here the format of the lookup:</P> <P><STRONG>Inputlookup name: customerslog.csv<BR /> Userid Clientid date_year date_month date_mday date_wday date_hour date_minute channel<BR /> abc1 clientid1 2019 november 1 friday 17 55 ONLINE<BR /> abc2 clientid2 2019 november 1 friday 19 25 MOBILE<BR /> abc3 clientid1 2019 october 31 thursday 11 44 ONLINE<BR /> abc4 clientid1 2019 november 1 friday 13 26 MOBILE<BR /> abc5 clientid2 2019 october 31 thursday 12 4 MOBILE<BR /> abc6 clientid2 2019 november 2 saturday 16 23 MOBILE<BR /> abc7 clientid1 2019 november 1 friday 18 2 MOBILE<BR /> abc8 clientid2 2019 november 1 friday 17 53 MOBILE<BR /> abc9 clientid2 2019 october 31 thursday 11 47 MOBILE<BR /> abc10 clientid2 2019 november 1 friday 20 14 ONLINE<BR /> abc11 clientid1 2019 october 30 wednesday 19 10 MOBILE<BR /> abc12 clientid2 2019 november 1 friday 18 3 ONLINE<BR /> abc13 clientid2 2019 november 1 friday 12 1 MOBILE<BR /> abc14 clientid2 2019 november 1 friday 19 26 MOBILE<BR /> abc15 clientid1 2019 november 1 friday 11 59 ONLINE<BR /> abc16 clientid2 2019 october 31 thursday 11 45 MOBILE<BR /> abc17 clientid1 2019 october 31 thursday 12 8 MOBILE<BR /> abc18 clientid2 2019 october 30 wednesday 11 56 MOBILE<BR /> abc19 clientid1 2019 october 30 wednesday 16 57 ONLINE</STRONG></P> <P>I would like to show the clientid volume as AVERAGE VOLUME FOR LAST 7 days and Userid volume for last 24 hrs with respect to current time with interval (span=15m) by using the same above inputlookup.</P> <P>To show the average of Client volume across the channel for last 7 days :</P> <PRE><CODE>|inputlookup customerslog.csv | dedup clientid | stats count(clientid) AS CLIENTS by date_hour, date_wday, channel | chart eval(round(avg(CLIENT),0)) AS "AVERAGE NO.OF CLIENTS LOGGED IN" over date_hour by Channel </CODE></PRE> <P>To show the trend for last 24 hrs:</P> <P><CODE>|inputlookup customerslog.csv | stats count(Userid) AS USERSONLY by date_hour, date_wday, channel | chart eval(round(avg(USERSOLNY),0)) AS "AVERAGE NO.OF USERS LOGGED IN" over date_hour by Channel</CODE> --&gt; this is giving same result similar to 7 days trend <BR /> <CODE>|inputlookup customerslog.csv | timechart avg(USERONLY) span=15m</CODE> --&gt; Not Working</P> <P><CODE>|inputlookup customerslog.csv where earliest=-24h@h latest=now | timechart sum(Userid) as USERSONLY by channel</CODE> --&gt; Not working</P> <PRE><CODE>|inputlookup customerslog.csv | timechart span=15m sum(Userid) As "USERSONLY" by channel --&gt; Not working </CODE></PRE> <P>Should I really use earliest and now for the 24hrs trend? </P> <P>Kindly help me with this please and share the search if you have?</P> Wed, 30 Sep 2020 02:48:48 GMT https://community.splunk.com/t5/Splunk-Search/Inputlookup-trend-for-24hrs-7-days-showing-same-graph/m-p/474921#M133521 gopiven 2020-09-30T02:48:48Z https://community.splunk.com/t5/Splunk-Search/Inputlookup-trend-for-24hrs-7-days-showing-same-graph/m-p/474922#M133522 <P>timechart requires _time variable. So you need to convert your date fields to an epoch timestamp.</P> <P>Here's how</P> <PRE><CODE>| inputlookup customerslog.csv | strcat date_year "-" date_month "-" date_mday " " date_hour ":" date_minute timestamp | eval _time=strptime(timestamp, "%Y-%B-%d %H:%M") | timechart avg(USERONLY) span=15m </CODE></PRE> <P>The important part is this</P> <PRE><CODE>| strcat date_year "-" date_month "-" date_mday " " date_hour ":" date_minute timestamp | eval _time=strptime(timestamp, "%Y-%B-%d %H:%M") </CODE></PRE> <P>In this, you are concatenating your different date columns to a single timestamp column and then your're converting that timestamp to an epoch timestamp and assigning it to _time using strptime. I've just used one of your searches as an example. You need to apply this to all your other searches.</P> <P>If you need to build a different format string for your strptime, you can use this - <A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Commontimeformatvariables">https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Commontimeformatvariables</A></P> <P>Hope this helps<BR /> Cheers</P> Mon, 04 Nov 2019 12:42:44 GMT https://community.splunk.com/t5/Splunk-Search/Inputlookup-trend-for-24hrs-7-days-showing-same-graph/m-p/474922#M133522 arjunpkishore5 2019-11-04T12:42:44Z https://community.splunk.com/t5/Splunk-Search/Inputlookup-trend-for-24hrs-7-days-showing-same-graph/m-p/474923#M133523 <P>Hi Arjun</P> <P>Thanks for your response!<BR /> However the trend for last 24hrs showing similar to 7 days ( Mean even If I opt the last 24hrs in time window)<BR /> Please let me know how to pickup the last 24hrs data from the input lookup.</P> <P>Thanks</P> Wed, 06 Nov 2019 03:39:54 GMT https://community.splunk.com/t5/Splunk-Search/Inputlookup-trend-for-24hrs-7-days-showing-same-graph/m-p/474923#M133523 gopiven 2019-11-06T03:39:54Z