Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to loop through times for same search

Thulasinathan_M
Contributor
‎08-06-2024 12:07 AM

Hi Splunk Experts,
I'm not sure how easy it's using Splunk, I've a field (_time) with list of epoch_time values in it. I want to loop through each value and run a search using the time value in below query by replacing $_time$. Any advice would be much appreciated, Thanks in advance!!

_time
1722888000
1722888600
1722889200
1722889800
1722890400
1722891000

 

index=main earliest=$_time$-3600 latest=$_time$ user arrival
| timechart span=10m count by user limit=15
| untable _time user value
| join type=left user
[| inputlookup UserDetails.csv
| eval DateStart=strftime(relative_time($_time$), "-7d@d"), "%Y-%m-%d")
| where Date > DateStart]

 

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-06-2024 12:21 AM

Hi @Thulasinathan_M ,

you cannot use a calculation (earliest=$_time$-3600) in a search, but you can put the values to use for your search in a lookup, with the only attention point to use the same fields, something like this:

in the lookup you should put two fields: earliest and latest and the run a search like the following

index=main [| inputlookup my_time_periods.csv | fields earliest latest ] user arrival
| timechart span=10m count by user limit=15
| untable _time user value
| join type=left user
[| inputlookup UserDetails.csv
| eval DateStart=strftime(relative_time(_time), "-7d@d"), "%Y-%m-%d")
| where Date > DateStart

two addition infos:

don't use index=main, but use your own index.

don't user join for an inputlookup: the lookup command is a left join and in general use the join command only when you haven't any other solution because Splunk isn't a database and it's a very slow command!

please try this:

index=your_index [| inputlookup my_time_periods.csv | fields earliest latest ] user arrival
| timechart span=10m count by user limit=15
| untable _time user value
| lookup UserDetails.csv user
| eval DateStart=strftime(relative_time(_time), "-7d@d"), "%Y-%m-%d")
| where Date > DateStart

Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-06-2024 12:20 AM

It looks like you may be going about this the wrong way. Please explain in non-Splunk terms what it is you are trying to achieve.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...