Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

kvstore, inputlookup and time-bounds

lfrit
New Member
‎09-08-2017 04:11 AM

I'm trying to set up a kvstore lookup where the results from inputlookup can be filtered using the regular time-pickers available on the web GUI or with the latest= and earliest= modifiers.

$ collections.conf
[testkv]
enforceTypes = true
field.action = string
field.ts = time

$ transforms.conf
[testkv]
external_type = kvstore
fields_list =  action, ts
time_field = ts
;time_format = %s.%3N
;time_format = %s.%Q

The ts field contains a UNIX epoch with milliseconds so 10+3 digits.

Regardless what I select "Last 15 minutes", "Last 4 hours" I always get the whole kvstore content.

First of all, is that doable in general and, if yes, any ideas on what's wrong? 🙂

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-09-2017 08:36 AM

Sure, but not in a normal way. Do it like this:

| makeresults
| addinfo
| map
    [| inputlookup testkv
    | search ts>=$info_min_time$ AND ts<=$info_max_time$]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-09-2017 08:36 AM

Sure, but not in a normal way. Do it like this:

| makeresults
| addinfo
| map
    [| inputlookup testkv
    | search ts>=$info_min_time$ AND ts<=$info_max_time$]
0 Karma
Reply
Solved! Jump to solution

frechette
Explorer
‎04-30-2020 03:34 PM

Why should you have to explicitly filter by time with a "search" or "where" command for a kvstore lookup when you don't have to with a regular search from an index?! This is a terrible approach. If it's the only approach to filtering a kvstore lookup by time then shame on Splunk.

0 Karma
Reply
Solved! Jump to solution

dnitschke_splun
Splunk Employee
Splunk Employee
‎05-02-2020 07:56 AM

You can also add the time filter into the WHERE clause of inputlookup, e.g.

| inputlookup testkv WHERE
[| makeresults count=1
| addinfo
| eval info_max_time=if(info_max_time=="+Infinity", 2147483647, info_max_time)
| eval search="( (ts>=" . info_min_time . ") AND (" . "ts<" . info_max_time . ") )"
| table search ]

0 Karma
Reply
Solved! Jump to solution

lfrit
New Member
‎09-11-2017 02:38 AM

Many thanks! That's a really interesting approach 🙂

I've just added a small workaround to handle the "All time" case and it seems to work as expected, I can simply create a dedicated macro now to make it more handy.

 | makeresults
 | addinfo
 | eval info_max_time=if(info_max_time=="+Infinity", 9999999999999, info_max_time)
 | map
     [| inputlookup testkv
     | search ts>=$info_min_time$ AND ts<=$info_max_time$]

Do you know any sort trick to cast that "+Infinity" so I can directly compare it with my ts field?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-11-2017 06:29 AM

I should have caught that. I would do it exactly as you have done

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...