Splunk Search

Date range on inputlookup search

dyeo
Engager

Hi I'm trying to do an inputlookup search with a specific date range of the last 6 months, but am not having any success. I tried converting _time to epoch to then apply a time filter, but that epoch time just results in a blank field.

| inputlookup append=t licensing_epd 
| eval epoch=strptime(_time,"%Y-%m-%d") 
| timechart span=1d sum(count) as count 
| bucket _time span=1d 
| table _time epoch count
Tags (3)
0 Karma
1 Solution

Vijeta
Influencer

Try like this

| inputlookup append=t licensing_epd
| eval _time =strptime(_time,"%Y-%m-%d")
| timechart span=1d sum(count) as count

View solution in original post

0 Karma

Vijeta
Influencer

Try like this

| inputlookup append=t licensing_epd
| eval _time =strptime(_time,"%Y-%m-%d")
| timechart span=1d sum(count) as count

0 Karma

dyeo
Engager

0 results when I run this query.

0 Karma

Vijeta
Influencer

What are the results without timechart ?

0 Karma

dyeo
Engager

Without the timechart command, the _time column is empty.

_time   count       index
        96754       _audit
        7065998     _internal
        534316      _introspection
        251         _telemetry
        100924602   it_co
        1           main
0 Karma

dyeo
Engager

Yes, the inputlookup command generates a _time value in the format:

2017-12-13
2017-12-14
2017-12-15

0 Karma

Vijeta
Influencer

@dyeo Does this not work for you?

| inputlookup append=t licensing_epd |  stats sum(count) as count by _time
0 Karma

dyeo
Engager

That works, but how do I convert _time to epoch so that I can filter for the last 6 months?

0 Karma

Vijeta
Influencer

You can assign epoch=_time, but that will not help you filter data I believe. Can you not use where after inputlookup on _time?

| inputlookup append=t licensing_epd |  stats sum(count) as count by _time| eval epoch=_time
0 Karma

dyeo
Engager

That was it. Thanks! Here's my full query I used to filter for the last 6 months.

| inputlookup append=t licensing_epd
| stats sum(count) as count by _time
| eval epoch=_time
| eval x = now() - epoch
| where x < 15811200
| table _time count

0 Karma

Vijeta
Influencer

@dyeo Only running the inputlookup command gives you values in _time column?

0 Karma

nabeel652
Builder

Is there a _time field in your lookup? What format is it in?

0 Karma

dyeo
Engager

Please see sample data below.

0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

Please provide a sample of your licensing_epd data (five or ten rows should be sufficient). That will enable us to see the format of the time field you have stored, and how to convert it to something timechart recognises.

0 Karma

dyeo
Engager

Please see sample data below.

_time index count
2017-12-13 _audit 96754
2017-12-13 _internal 7065998
2017-12-13 _introspection 534316
2017-12-13 _telemetry 251
2017-12-13 it_co 100924602
2017-12-13 main 1
2017-12-14 _audit 139595
2017-12-14 _internal 7411574
2017-12-14 _introspection 635669
2017-12-14 _telemetry 272
2017-12-14 it_co 105231185
2017-12-14 main 0
2017-12-14 test 223896
2017-12-15 _audit 175059
2017-12-15 _internal 12261227

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...