Hi I'm trying to do an inputlookup search with a specific date range of the last 6 months, but am not having any success. I tried converting _time to epoch to then apply a time filter, but that epoch time just results in a blank field.
| inputlookup append=t licensing_epd 
| eval epoch=strptime(_time,"%Y-%m-%d") 
| timechart span=1d sum(count) as count 
| bucket _time span=1d 
| table _time epoch count
Try like this
| inputlookup append=t licensing_epd 
 | eval _time =strptime(_time,"%Y-%m-%d") 
 | timechart span=1d sum(count) as count 
Try like this
| inputlookup append=t licensing_epd 
 | eval _time =strptime(_time,"%Y-%m-%d") 
 | timechart span=1d sum(count) as count 
0 results when I run this query.
What are the results without timechart ?
Without the timechart command, the _time column is empty.
_time   count       index
        96754       _audit
        7065998     _internal
        534316      _introspection
        251         _telemetry
        100924602   it_co
        1           main
Yes, the inputlookup command generates a _time value in the format:
2017-12-13
2017-12-14
2017-12-15
@dyeo Does this not work for you?
| inputlookup append=t licensing_epd |  stats sum(count) as count by _time
That works, but how do I convert _time to epoch so that I can filter for the last 6 months?
You can assign epoch=_time, but that will not help you filter data I believe. Can you not use where after inputlookup on _time?
| inputlookup append=t licensing_epd |  stats sum(count) as count by _time| eval epoch=_time
That was it. Thanks! Here's my full query I used to filter for the last 6 months.
| inputlookup append=t licensing_epd 
| stats sum(count) as count by _time 
| eval epoch=_time 
| eval x = now() - epoch 
| where x < 15811200
| table _time count
@dyeo Only running the inputlookup command gives you values in _time column?
 
					
				
		
Is there a _time field in your lookup? What format is it in?
Please see sample data below.
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Please provide a sample of your licensing_epd data (five or ten rows should be sufficient). That will enable us to see the format of the time field you have stored, and how to convert it to something timechart recognises.
Please see sample data below.
_time   index   count
    2017-12-13  _audit  96754
    2017-12-13  _internal   7065998
    2017-12-13  _introspection  534316
    2017-12-13  _telemetry  251
    2017-12-13  it_co   100924602
    2017-12-13  main    1
    2017-12-14  _audit  139595
    2017-12-14  _internal   7411574
    2017-12-14  _introspection  635669
    2017-12-14  _telemetry  272
    2017-12-14  it_co   105231185
    2017-12-14  main    0
    2017-12-14  test    223896
    2017-12-15  _audit  175059
    2017-12-15  _internal   12261227
