Archive
Highlighted

I'm not able to exclude maintenance time from my events when I use inputlookup. Any tips?

Path Finder

I used this query:

index="abc" source="xyz"
| search [inputlookup example]
| eval End=strptime("EndDateTime","%Y/%m/%d %H:%M:%S") | eval Start=strptime("StartDateTime","%Y/%m/%d %H:%M:%S") | where (time > End) OR (time < Start)

This isn't returning any events. Any help?

0 Karma
Highlighted

Re: I'm not able to exclude maintenance time from my events when I use inputlookup. Any tips?

Influencer

Hi

Make sure the EndDateTime and StartDateTime are both strings and the format of the strptime is correct agains this documentation:

http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Commontimeformatvariables

index="abc" source="xyz"  [ | inputlookup example | eval latest=strptime(End_Date_Time,"%Y-%m-%d %H:%M:%S") , earliest=strptime(Start_Date_Time,"%Y-%m-%d %H:%M:%S") | return earliest, latest]
0 Karma
Highlighted

Re: I'm not able to exclude maintenance time from my events when I use inputlookup. Any tips?

Path Finder

That didn't help. Same thing. No events.

0 Karma
Highlighted

Re: I'm not able to exclude maintenance time from my events when I use inputlookup. Any tips?

Influencer

Can you show me a line in your example lookup please?

0 Karma
Highlighted

Re: I'm not able to exclude maintenance time from my events when I use inputlookup. Any tips?

Path Finder

Description EndDateTime RequestedBy StartDate_Time Maintenance 2018/03/10 12:00:00 Sam 2018/03/10 01:00:00

0 Karma
Highlighted

Re: I'm not able to exclude maintenance time from my events when I use inputlookup. Any tips?

Influencer

Btw I had a typo in my answer, try this:

 index="abc" source="xyz"  
[ | inputlookup example
 | eval latest=strptime(End_Date_Time,"%Y-%m-%d %H:%M:%S") , earliest=strptime(Start_Date_Time,"%Y-%m-%d %H:%M:%S") 
| return earliest, latest]
0 Karma
Highlighted

Re: I'm not able to exclude maintenance time from my events when I use inputlookup. Any tips?

Influencer

Ok so that was the problem the format of strptime:

  index="abc" source="xyz"  
 [ | inputlookup example
  | eval latest=strptime(End_Date_Time,"%Y/%m/%d %H:%M:%S") , earliest=strptime(Start_Date_Time,"%Y/%m/%d %H:%M:%S") 
 | return earliest, latest]

Try it and let me know

0 Karma
Highlighted

Re: I'm not able to exclude maintenance time from my events when I use inputlookup. Any tips?

Path Finder

Ah yes. That works. But, what I want is the opposite. I want to exclude the events of the time specified and want the rest of them.

0 Karma
Highlighted

Re: I'm not able to exclude maintenance time from my events when I use inputlookup. Any tips?

Influencer

There you go

   index="abc" source="xyz"  
  [ | inputlookup example
   | eval latest=strptime(End_Date_Time,"%Y/%m/%d %H:%M:%S") , earliest=strptime(Start_Date_Time,"%Y/%m/%d %H:%M:%S") 
  | eval maintenance="_time<"+earliest+" OR _time>"+latest 
| return $maintenance]

View solution in original post

Highlighted

Re: I'm not able to exclude maintenance time from my events when I use inputlookup. Any tips?

Path Finder

Thanks a lot! That worked like a charm. Much appreciated.

0 Karma