Splunk Search

How to edit our inputlookup search to only return data for the last 3 months?

Path Finder

Hi,

We are looking for a search which would give availability for the last 3 months.

We came come up with the search below that would give availability for the last 12 months. This search is built from an inputlookup file. Can you please advise how to enhance this search to only get data for the last 3 months?

|inputlookup availability_metrics.csv             |replace ".Net" with Windows,sphere with Sphere,"Hadoop - Platinum" with Hadoop,"IDN Teradata" with TeraData,"IDN DW - IQAX" with Sybase,analytics with SAS,idndm with "Data Management" IDN with "IDN Mainframe"|rename Product as Platform             | join type=left Platform [  |inputlookup sys_user_group.csv]               | eval Tier=if(isnull(Tier), "L2", Tier)   |stats values(Jan) as Jan values(Feb) as Feb values(Mar) as Mar values(Apr) as Apr values(May) as May values(Jun) as Jun values(Jul) as Jul values(Aug) as Aug values(Sep) as Sep values(Oct) as Oct values(Nov) as Nov values(Dec) as Dec by Platform

Thanks

0 Karma

Legend

Try this

|inputlookup availability_metrics.csv             |replace ".Net" with Windows,sphere with Sphere,"Hadoop - Platinum" with Hadoop,"IDN Teradata" with TeraData,"IDN DW - IQAX" with Sybase,analytics with SAS,idndm with "Data Management" IDN with "IDN Mainframe"|rename Product as Platform             | join type=left Platform [  |inputlookup sys_user_group.csv]               | eval Tier=if(isnull(Tier), "L2", Tier)   |stats values(Jan) as Jan values(Feb) as Feb values(Mar) as Mar values(Apr) as Apr values(May) as May values(Jun) as Jun values(Jul) as Jul values(Aug) as Aug values(Sep) as Sep values(Oct) as Oct values(Nov) as Nov values(Dec) as Dec by Platform | table Platform  [| gentimes start=-1 | eval search=strftime(relative_time(now(), "-60d"), "%b")." ".strftime(relative_time(now(), "-30d"), "%b")." ".strftime(now(), "%b") | table search]
0 Karma

SplunkTrust
SplunkTrust

Without a clue of what your data looks like, here's how I'd expect things to work:

| inputlookup availability_metrics.csv | where _time >= relative_time(now(), "-3mon") | ...

That would only keep rows with a timestamp of three months ago or greater. Continue your search as you normally would.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!