Solved: Filtering the results in Dashboard from InputLooku...

cchange · ‎04-08-2020

Hi,

I'm trying to filter the results of the lookup depend upon the time selection from the dashboard. I have date field in the lookup. Below is the sample of the lookup.

ReportedAt Id status
2020-04-09 5:00:00 567 Pass

I'm trying with below logics but it is not working.

|inputlookup file.csv
|eval timeep = strptime('ReportedAt', "%Y-%m-%d %H:%S")
| addinfo
| where timeep > info_max_time and timeep < info_min_time

====
inputlookup file.csv | where Reportedat > $t1.earliest$ and Reportedat < $t1.latest$

Can you please let me know is there a way to display the results depend upon time selection in the dashboard.

richgalloway · ‎04-08-2020

The first method should work, except the strptime format string is incorrect. Try |eval timeep = strptime('ReportedAt', "%Y-%m-%d %H:%M:%S").
The second method won't work because Splunk can't compare dates in string format.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎04-08-2020

The first method should work, except the strptime format string is incorrect. Try |eval timeep = strptime('ReportedAt', "%Y-%m-%d %H:%M:%S").
The second method won't work because Splunk can't compare dates in string format.

---
If this reply helps you, Karma would be appreciated.

cchange · ‎04-08-2020

Thanks Rich, I overlooked the syntax. Problem is with my where clause. I used logic wrongly and it is not matching filter condition. After correcting my logic, results started to display correctly for first method.

Thanks for your help once again.

Filtering the results in Dashboard from InputLookup Depend Upon Time

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI