Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to loop through times for same search

Thulasinathan_M
Contributor
‎08-06-2024 12:07 AM

Hi Splunk Experts,
I'm not sure how easy it's using Splunk, I've a field (_time) with list of epoch_time values in it. I want to loop through each value and run a search using the time value in below query by replacing $_time$. Any advice would be much appreciated, Thanks in advance!!

_time
1722888000
1722888600
1722889200
1722889800
1722890400
1722891000

 

index=main earliest=$_time$-3600 latest=$_time$ user arrival
| timechart span=10m count by user limit=15
| untable _time user value
| join type=left user
[| inputlookup UserDetails.csv
| eval DateStart=strftime(relative_time($_time$), "-7d@d"), "%Y-%m-%d")
| where Date > DateStart]

 

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-06-2024 12:21 AM

Hi @Thulasinathan_M ,

you cannot use a calculation (earliest=$_time$-3600) in a search, but you can put the values to use for your search in a lookup, with the only attention point to use the same fields, something like this:

in the lookup you should put two fields: earliest and latest and the run a search like the following

index=main [| inputlookup my_time_periods.csv | fields earliest latest ] user arrival
| timechart span=10m count by user limit=15
| untable _time user value
| join type=left user
[| inputlookup UserDetails.csv
| eval DateStart=strftime(relative_time(_time), "-7d@d"), "%Y-%m-%d")
| where Date > DateStart

two addition infos:

don't use index=main, but use your own index.

don't user join for an inputlookup: the lookup command is a left join and in general use the join command only when you haven't any other solution because Splunk isn't a database and it's a very slow command!

please try this:

index=your_index [| inputlookup my_time_periods.csv | fields earliest latest ] user arrival
| timechart span=10m count by user limit=15
| untable _time user value
| lookup UserDetails.csv user
| eval DateStart=strftime(relative_time(_time), "-7d@d"), "%Y-%m-%d")
| where Date > DateStart

Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-06-2024 12:20 AM

It looks like you may be going about this the wrong way. Please explain in non-Splunk terms what it is you are trying to achieve.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...