All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter last 24hrs events from inputlookup

gopiven
Explorer
‎11-20-2019 11:38 PM

Hello Splunk Experts

As I have scheduled search(running every hr) creating output lookup file and from there I am using that as input lookup in my dashboards to draw trends for last 7 days and 24 hrs.
However for last 7 days I am able to draw the trend but for 24 hrs I dont know how to filter the events from the overall lookup.

Overall the lookup contains 7 days data and I need to draw the trend for last 7 days and 24 hrs trend.

Kindly help me with the concept please.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

siddharthkhatsu
Explorer
‎11-21-2019 05:05 AM

| inputlookup lookupname | addinfo | where time_field < info_max_time and time_field> info_min_time

P.S. it works best if you have your time field in epoch, else you need to do pre processing on your time field like

| inputlookup lookupname | eval time_field= strptime(time_field, time_format) | addinfo | where time_field < info_max_time and time_field> info_min_time

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-21-2019 07:03 AM

Like this:

|inputlookup YourLookupFileWithTimeDateFieldHere
| where _time >= relative_time(now(), "-24h")
Reply
Solved! Jump to solution

gopiven
Explorer
‎11-21-2019 08:28 PM

Thanks Woodcock for the response.

0 Karma
Reply
Solved! Jump to solution
Solution

siddharthkhatsu
Explorer
‎11-21-2019 05:05 AM

| inputlookup lookupname | addinfo | where time_field < info_max_time and time_field> info_min_time

P.S. it works best if you have your time field in epoch, else you need to do pre processing on your time field like

| inputlookup lookupname | eval time_field= strptime(time_field, time_format) | addinfo | where time_field < info_max_time and time_field> info_min_time

Reply
Solved! Jump to solution

gopiven
Explorer
‎11-21-2019 08:29 PM

Thanks Sid - It worked for me.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...