Solved: Date range on inputlookup search

dyeo · ‎05-11-2019

Hi I'm trying to do an inputlookup search with a specific date range of the last 6 months, but am not having any success. I tried converting _time to epoch to then apply a time filter, but that epoch time just results in a blank field.

| inputlookup append=t licensing_epd 
| eval epoch=strptime(_time,"%Y-%m-%d") 
| timechart span=1d sum(count) as count 
| bucket _time span=1d 
| table _time epoch count

Vijeta · ‎05-16-2019

Try like this

| inputlookup append=t licensing_epd
| eval _time =strptime(_time,"%Y-%m-%d")
| timechart span=1d sum(count) as count

View solution in original post

Vijeta · ‎05-16-2019

Try like this

| inputlookup append=t licensing_epd
| eval _time =strptime(_time,"%Y-%m-%d")
| timechart span=1d sum(count) as count

dyeo · ‎05-16-2019

0 results when I run this query.

Vijeta · ‎05-16-2019

What are the results without timechart ?

dyeo · ‎05-17-2019

Without the timechart command, the _time column is empty.

_time   count       index
        96754       _audit
        7065998     _internal
        534316      _introspection
        251         _telemetry
        100924602   it_co
        1           main

dyeo · ‎05-17-2019

Yes, the inputlookup command generates a _time value in the format:

2017-12-13
2017-12-14
2017-12-15

Vijeta · ‎05-17-2019

@dyeo Does this not work for you?

| inputlookup append=t licensing_epd |  stats sum(count) as count by _time

dyeo · ‎05-17-2019

That works, but how do I convert _time to epoch so that I can filter for the last 6 months?

Vijeta · ‎05-17-2019

You can assign epoch=_time, but that will not help you filter data I believe. Can you not use where after inputlookup on _time?

| inputlookup append=t licensing_epd |  stats sum(count) as count by _time| eval epoch=_time

dyeo · ‎05-17-2019

That was it. Thanks! Here's my full query I used to filter for the last 6 months.

Vijeta · ‎05-17-2019

@dyeo Only running the inputlookup command gives you values in _time column?

nabeel652 · ‎05-13-2019

Is there a _time field in your lookup? What format is it in?

dyeo · ‎05-16-2019

Please see sample data below.

sduff_splunk · ‎05-12-2019

Please provide a sample of your licensing_epd data (five or ten rows should be sufficient). That will enable us to see the format of the time field you have stored, and how to convert it to something timechart recognises.

dyeo · ‎05-16-2019

Please see sample data below.

_time index count
2017-12-13 _audit 96754
2017-12-13 _internal 7065998
2017-12-13 _introspection 534316
2017-12-13 _telemetry 251
2017-12-13 it_co 100924602
2017-12-13 main 1
2017-12-14 _audit 139595
2017-12-14 _internal 7411574
2017-12-14 _introspection 635669
2017-12-14 _telemetry 272
2017-12-14 it_co 105231185
2017-12-14 main 0
2017-12-14 test 223896
2017-12-15 _audit 175059
2017-12-15 _internal 12261227

Date range on inputlookup search

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...