Hello Splunk Experts
As I have scheduled search(running every hr) creating output lookup file and from there I am using that as input lookup in my dashboards to draw trends for last 7 days and 24 hrs.
However for last 7 days I am able to draw the trend but for 24 hrs I dont know how to filter the events from the overall lookup.
Overall the lookup contains 7 days data and I need to draw the trend for last 7 days and 24 hrs trend.
Kindly help me with the concept please.
Thanks
| inputlookup lookupname
| addinfo | where time_field
< info_max_time and time_field
> info_min_time
P.S. it works best if you have your time field in epoch, else you need to do pre processing on your time field like
| inputlookup lookupname
| eval time_field
= strptime(time_field
, time_format
) | addinfo | where time_field
< info_max_time and time_field
> info_min_time
Like this:
|inputlookup YourLookupFileWithTimeDateFieldHere
| where _time >= relative_time(now(), "-24h")
Thanks Woodcock for the response.
| inputlookup lookupname
| addinfo | where time_field
< info_max_time and time_field
> info_min_time
P.S. it works best if you have your time field in epoch, else you need to do pre processing on your time field like
| inputlookup lookupname
| eval time_field
= strptime(time_field
, time_format
) | addinfo | where time_field
< info_max_time and time_field
> info_min_time
Thanks Sid - It worked for me.