Solved: How to create a dashboard from a lookup file that ...

jnguyen413 · ‎09-13-2016

I am trying to create a dashboard from a lookup file that has fields:

Ticket_ID
Open_Date

Close_Date
Description

I am having the hardest time trying to get the Time input field to reference the Open_Date so that it's easier to search for certain tickets between a certain date from a dashboard. I have tried eval _time=Open_Date but that didn't work for me. Any ideas?

Below is a sample of the fields:
Ticket_ID = 123
Open_Date = 9/4/2014 9:07:29 AM
Close_Date = 9/5/2014 9:07:29 AM
Description = This is an example.

sloshburch · ‎09-14-2016

The time selector criteria of a search will only run on the _time value of the raw events - which don't exist here since you have a lookup file.

Your options:

If you want to filter on a field of those events, you would have to add in your own logic. Most do this by creating some static items in an input selector - the token of which is passed to the search as criteria against those lookup entries.
Index the lookup file data (instead of using a lookup file) with one of the fields being processed as the _time value. Then you'll be able to do this using the raw events.

If still is no good, we can talk about the goal of the dashboard itself and make sure that we haven't overlooked a different solution all together.

View solution in original post

sloshburch · ‎09-14-2016

The time selector criteria of a search will only run on the _time value of the raw events - which don't exist here since you have a lookup file.

Your options:

If you want to filter on a field of those events, you would have to add in your own logic. Most do this by creating some static items in an input selector - the token of which is passed to the search as criteria against those lookup entries.
Index the lookup file data (instead of using a lookup file) with one of the fields being processed as the _time value. Then you'll be able to do this using the raw events.

If still is no good, we can talk about the goal of the dashboard itself and make sure that we haven't overlooked a different solution all together.

somesoni2 · ‎09-13-2016

Try something like this. This should give only the results where Open_Date values are between selected time range.

| inputlookup yourLookupTable.csv | eval _time=strptime(Open_Date,"%m/%d/%Y %H:%M:%S %p") | search _time>=[| gentimes start=-1 | eval search=info_min_time | table search] AND _time<[| gentimes start=-1 | eval search=info_max_time | table search]

OR

| inputlookup yourLookupTable.csv | eval filterdate=strftime(strptime(Open_Date,"%m/%d/%Y %H:%M:%S %p"),"%m/%d/%Y:%H:%M:%S") | search filter>=[| gentimes start=-1 | eval search=strftime(info_min_time,"%m/%d/%Y:%H:%M:%S") | table search] AND filter<[| gentimes start=-1 | eval search=strftime(info_max_time,"%m/%d/%Y:%H:%M:%S") | table search]

jnguyen413 · ‎09-14-2016

I understand how to find events between dates, but I am trying to see if its possible for me to use the Time input box on a dashboard for my lookup file even though I set my Open_Date field as _time.

richgalloway · ‎09-13-2016

I think _time needs to be in epoch form. Try eval _time=strptime(Open_Date,"%m/%d/%Y %H:%M:%S %p").

---
If this reply helps you, Karma would be appreciated.

jnguyen413 · ‎09-14-2016

Unfortunately, I have already tried that and it didn't work.

How to create a dashboard from a lookup file that references a Time input field?

Splunk Classroom Chronicles: Training Tales and Testimonials

Access Tokens Page - New & Improved

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!