Solved: Re: search by _time from inputlookup csv file

mikeyty07 · ‎09-12-2023

I have a csv file which has data like this and i am using
| inputlookup abc.csv | search _time >= '2023-09-10" but its is not showing any data

_time	client	noclient
2023-09-10	iphone	airpord
2023-09-11	samsung	earbud

how do i get the data only for the selected date like from the above query

bowesmana · ‎09-12-2023

Now there's an odd thing with a field called "_time"

If that field in your lookup file really is called that WITH the underscore, it very much depends on what that data really is in the lookup, because Splunk will always render the _time field in a string way, not as an epoch, so if your lookup contains

"_time",client,noclient
"1694268000.000000",iphone,airpord
"1694354400.000000",samsung,earbud

then when you do inputlookup yourfile.csv it will LOOK like

2023-09-10	iphone	airpord
2023-09-11	samsung	earbud

so in that case, the field is already in EPOCH time and you would have to go

| inputlookup times.csv
| where _time>=strptime("2023-09-10", "%F")

and you will get your results back. I suspect this is YOUR case, because ...

HOWEVER, if your lookup contains

"_time",client,noclient
2023-09-10,iphone,airpord
2023-09-11,samsung,earbud

then that where clause will not work and you must first fix up _time.

That said, this WILL work if your data is actually strings like above

| inputlookup abc.csv
| search _time>="2023-09-10"

as you can do string comparisons IFF _time is also a string and you are using ISO8601 date format YYYY-MM-DD

View solution in original post

bowesmana · ‎09-12-2023

Now there's an odd thing with a field called "_time"

If that field in your lookup file really is called that WITH the underscore, it very much depends on what that data really is in the lookup, because Splunk will always render the _time field in a string way, not as an epoch, so if your lookup contains

"_time",client,noclient
"1694268000.000000",iphone,airpord
"1694354400.000000",samsung,earbud

then when you do inputlookup yourfile.csv it will LOOK like

2023-09-10	iphone	airpord
2023-09-11	samsung	earbud

so in that case, the field is already in EPOCH time and you would have to go

| inputlookup times.csv
| where _time>=strptime("2023-09-10", "%F")

and you will get your results back. I suspect this is YOUR case, because ...

HOWEVER, if your lookup contains

"_time",client,noclient
2023-09-10,iphone,airpord
2023-09-11,samsung,earbud

then that where clause will not work and you must first fix up _time.

That said, this WILL work if your data is actually strings like above

| inputlookup abc.csv
| search _time>="2023-09-10"

as you can do string comparisons IFF _time is also a string and you are using ISO8601 date format YYYY-MM-DD

richgalloway · ‎09-12-2023

Splunk cannot compare timestamps as strings. They must be converted to epoch (integer) form first.

| inputlookup abc.csv 
| eval _time = strptime(_time, "%Y-%m-%d")
| search _time >= strptime("2023-09-10", "%Y-%m-%d")

---
If this reply helps you, Karma would be appreciated.

How to search by _time from inputlookup csv file?

eval

fields

lookup

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation