https://community.splunk.com/t5/Splunk-Search/How-to-loop-through-times-for-same-search/m-p/695380#M236461 <P>It looks like you may be going about this the wrong way. Please explain in non-Splunk terms what it is you are trying to achieve.</P> Tue, 06 Aug 2024 07:20:19 GMT ITWhisperer 2024-08-06T07:20:19Z https://community.splunk.com/t5/Splunk-Search/How-to-loop-through-times-for-same-search/m-p/695378#M236459 <P>Hi Splunk Experts,<BR />I'm not sure how easy it's using Splunk,&nbsp;I've a field (_time) with list of epoch_time values in it. I want to loop through each value and run a search using the time value in below query by replacing $_time$. Any advice would be much appreciated, Thanks in advance!!</P><TABLE border="1" width="100%"><TBODY><TR><TD width="100%" height="24px">_time</TD></TR><TR><TD width="100%" height="24px">1722888000</TD></TR><TR><TD width="100%" height="24px">1722888600</TD></TR><TR><TD width="100%" height="24px">1722889200</TD></TR><TR><TD width="100%" height="24px">1722889800</TD></TR><TR><TD width="100%" height="24px">1722890400</TD></TR><TR><TD width="100%" height="24px">1722891000</TD></TR></TBODY></TABLE><P>&nbsp;</P><LI-CODE lang="markup">index=main earliest=$_time$-3600 latest=$_time$ user arrival | timechart span=10m count by user limit=15 | untable _time user value | join type=left user [| inputlookup UserDetails.csv | eval DateStart=strftime(relative_time($_time$), "-7d@d"), "%Y-%m-%d") | where Date &gt; DateStart]</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Tue, 06 Aug 2024 07:07:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-loop-through-times-for-same-search/m-p/695378#M236459 Thulasinathan_M 2024-08-06T07:07:00Z https://community.splunk.com/t5/Splunk-Search/How-to-loop-through-times-for-same-search/m-p/695380#M236461 <P>It looks like you may be going about this the wrong way. Please explain in non-Splunk terms what it is you are trying to achieve.</P> Tue, 06 Aug 2024 07:20:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-loop-through-times-for-same-search/m-p/695380#M236461 ITWhisperer 2024-08-06T07:20:19Z https://community.splunk.com/t5/Splunk-Search/How-to-loop-through-times-for-same-search/m-p/695381#M236462 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/253572">@Thulasinathan_M</a>&nbsp;,</P><P>you cannot use a calculation (earliest=$_time$-3600) in a search, but you can put the values to use for your search in a lookup, with the only attention point to use the same fields, something like this:</P><P>in the lookup you should put two fields: earliest and latest and the run a search like the following</P><LI-CODE lang="markup">index=main [| inputlookup my_time_periods.csv | fields earliest latest ] user arrival | timechart span=10m count by user limit=15 | untable _time user value | join type=left user [| inputlookup UserDetails.csv | eval DateStart=strftime(relative_time(_time), "-7d@d"), "%Y-%m-%d") | where Date &gt; DateStart</LI-CODE><P>two addition infos:</P><P>don't use index=main, but use your own index.</P><P>don't user join for an inputlookup: the lookup command is a left join and in general use the join command only when you haven't any other solution because Splunk isn't a database and it's a very slow command!</P><P>please try this:</P><LI-CODE lang="markup">index=your_index [| inputlookup my_time_periods.csv | fields earliest latest ] user arrival | timechart span=10m count by user limit=15 | untable _time user value | lookup UserDetails.csv user | eval DateStart=strftime(relative_time(_time), "-7d@d"), "%Y-%m-%d") | where Date &gt; DateStart</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 06 Aug 2024 07:21:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-loop-through-times-for-same-search/m-p/695381#M236462 gcusello 2024-08-06T07:21:25Z