Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I use search on lookupfields for earliestTime instead of hardcoding them?

manish31383
New Member
‎10-14-2013 01:22 AM

Hi

I want to use lookupfield search to extract value for earliesTime and latestTime. Can I use as in example below?





source="dbmon-tail://ABC" FIELD1= $field1$ | timechart max(TOTAL_DELAY_IN_SECONDS)

| inputlookup REGION-TIME | search Field1= $field1$ | fields LIVE_START_TIME

now

MY CHART

line

gaps
default
false
right
log
all

Tags (1)
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-14-2013 04:37 AM

<earliestTime> is a Splunk time format, so a search cannot be used. However, you could the lookup in the searchString of the chart as a subsearch which restricts the main search.

source="dbmon-tail://ABC" FIELD1=$field1$ [|inputlookup REGION-TIME| search Field1=$field1$ | fields LIVE_START_TIME | rename LIVE_START_TIME as earliest] | timechart max(TOTAL_DELAY_IN_SECONDS)

http://docs.splunk.com/Documentation/Splunk/5.0.5/Viz/PanelreferenceforSimplifiedXML

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...