Restricting date range in data from inputlookup

hollybross1219 · ‎12-29-2020

My goal is to make a report that has running total (cumulative) data across years. Current year data is queried from Splunk while prior year data is all housed in a lookup (called TY19_Splunk_total_data.csv).

My issue is that this report will be on a dashboard that has date range selectors. When the date range is selected, the streamstats works correctly for current year data (since it isolates the data from dates selected in the range THEN adds) but not for prior year data because I don't know how to restrict data in the inputlookup by "date" + 1 yr while at the same time, having the tokens apply to my base splunk search.

Hopefully that makes sense... here's the query I'm working with

[base query] year=<current_year>
| timechart span=1d dc(intuit_tid) as current_year_data
| streamstats sum(current_year_data) as current_year_data
| eval time=strftime(_time,"%m-%d")
| join time
[| inputlookup TY19_Splunk_total_data.csv
| eval token_time=relative_time(strptime(time,"%m/%d/%Y"),"+1y")
| where capability="W2" and token_time>=$time.earliest$ and token_time<$time.latest$
| eval time=strftime(strptime(time,"%m/%d/%Y"),"%m-%d")
| stats sum(attempts) as prior_year_data by time
| streamstats sum(prior_year_data ) as prior_year_data
| fields time prior_year_data ]
| fields time current_year_data prior_year_data
| fields - _time

to4kawa · ‎12-29-2020

| makeresults
| eval time="01/01/2019"
| eval token_time=relative_time(strptime(time,"%m/%d/%Y"),"+1y")
| convert ctime(token_time)

token_time has no problem.

| where capability="W2" and token_time>=$time.earliest$ and token_time<$time.latest$
has problem. It is not coming in epoch time.

Restricting date range in data from inputlookup

troubleshooting

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Splunk and Fraud

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...