Solved: Re: I'm not able to exclude maintenance time from ... - Page 2

tchintam · ‎03-15-2018

I used this query:

index="abc" source="xyz"
| search [inputlookup example]
| eval End=strptime("End_Date_Time","%Y/%m/%d %H:%M:%S") | eval Start=strptime("Start_Date_Time","%Y/%m/%d %H:%M:%S") | where (_time > End) OR (_time < Start)

This isn't returning any events. Any help?

tiagofbmm · ‎03-15-2018

There you go

   index="abc" source="xyz"  
  [ | inputlookup example
   | eval latest=strptime(End_Date_Time,"%Y/%m/%d %H:%M:%S") , earliest=strptime(Start_Date_Time,"%Y/%m/%d %H:%M:%S") 
  | eval maintenance="_time<"+earliest+" OR _time>"+latest 
| return $maintenance]

View solution in original post

tiagofbmm · ‎03-15-2018

Btw I had a typo in my answer, try this:

 index="abc" source="xyz"  
[ | inputlookup example
 | eval latest=strptime(End_Date_Time,"%Y-%m-%d %H:%M:%S") , earliest=strptime(Start_Date_Time,"%Y-%m-%d %H:%M:%S") 
| return earliest, latest]

tchintam · ‎03-15-2018

Description End_Date_Time Requested_By Start_Date_Time Maintenance 2018/03/10 12:00:00 Sam 2018/03/10 01:00:00

I'm not able to exclude maintenance time from my events when I use inputlookup. Any tips?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!