Splunk Search

How to use Time Picker(Time range) in "inputlookup"?

sbimizry
Engager

Hi,
How to i must use time range earliest=-24h@h latest=now() in search | inputlookup lookup. I tried to do so | inputlookup lookup | search earliest=-24h@h latest=now(), but this not worked.

Tags (2)
0 Karma

vgtk4431
Path Finder

We faced an issue with this solution : We need to filter a big time based KVSTore (several millions of lines)
Doing the addinfo/where routes was not a success as it loads everything via the inputlookup then filtering.

The solution we've found is has below :

| inputlookup lookup where 
[| makeresults 
| addinfo 
| table info_min_time 
| format "" "" "" "" "" "" 
| rex field=search "\"(?<search>[^\"]+)\"" ] AND _time<= 
[| makeresults 
| addinfo 
| table info_max_time 
| eval info_max_time=if(info_max_time="+Infinity",2999999999,info_max_time)
| format "" "" "" "" "" "" 
| rex field=search "\"(?<search>[^\"]+)\""]

There may be an easier way to use the format but i'm not every good with this command 🙂

anm_mporter
Explorer

This is super useful, so I made a macro out of it:

 

 

[filter_lookup_time(1)]
args = TIME_FIELD
definition =  ($TIME_FIELD$ >= [ makeresults \
    | addinfo  \
    | return $info_min_time \
] $TIME_FIELD$ <= [makeresults \
    | addinfo  \
    |  eval max_time=if(typeof(info_max_time) == "Number",info_max_time,2147483647) \
    | return $max_time]) 

 

 

 
You use it like this (assumes "my_lookup" has a  "ts"  field in epoch format):

 

|inputlookup my_lookup where `filter_lookup_time(ts)`​

 

0 Karma

jnudell_2
Builder

Hi @sbimizry ,

If you have not included a time value anywhere in your lookup, then you cannot do this. Lookup files are basically state tables that the owner defines and updates. This means that the owner also defines which fields to include in the lookup, which may or may not (most do not) have a field that references a time value. Even if it DOES reference a time value, it may not be the time value you are thinking of. You would need some logic that executes when you update / create your lookup to add a time value that equates to the execution time of the creation / update of the lookup. Once you have a time field, you can re-map it to the _time field, which should allow you to use search earliest=-24h@h (you don't need latest=now(), Splunk assumes that if you don't provide a latest= statement).

If you HAVE included a time field in your lookup then you can also use @woodcock 's solution above:

 | inputlookup lookup
| addinfo
| where ( >= info_min_time AND <= info_max_time)

I hope this information provides you with your answer.

0 Karma

Kiran_Gowda
Observer

Hi @jnudell_2 ,

Can you please help with "You would need some logic that executes when you update / create your lookup to add a time value that equates to the execution time of the creation / update of the lookup."

We have similar requirement, where we need to capture the 'time' when 'SUBMIT' button is clicked on a dashboard.

 

Regards,

Kiran

0 Karma

anm_mporter
Explorer

The submit button doesn't generate an event you can subscribe to. Each element has its own change monitoring via the <change> tag. The Submit button just triggers change actions for any inputs that have changed and are not already set to "search on change"

You could create search that runs whenever ANY of the form tokens change that sets a new token with the last change time. 

 

        <search>
          <query>
            | makeresults
            | eval last_update_ts=now()
            ```$TOKEN1$ $TOKEN2$ $TOKEN3$ $TOKEN4$```
          </query>
          <earliest>-1m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <set token="last_update_ts">$result.last_update_ts$</set>
          </done>
        </search>

 

 That same search COULD actually output to your lookup table using "last_update_ts" as the time field

0 Karma

jitendragupta
Path Finder

If you want to use earliest and latest mandatorily in your search, push your data to index. In setting -> Add Data -> Upload, select your CSV file. Now _time field value will be the same as timestamp value in your CSV file. After this, select an index or create a new index and add data and start searching.

OR if you want to use inputlookup, use this code at the start of query:

| inputlookup <lookup name>.csv | eval summarydateformat=round(strptime(<time-field>,"%m/%d/%y"),0) | where (summarydateformat >="$time_tok1.earliest$" and summarydateformat <="$time_tok1.latest$")

Replace time-field with the timestamp of your CSV file and time format accordingly. Add a date picker with token name as time_tok1. Add "$time_tok1.earliest$" and "$time_tok1.latest$" in your searches. But in this approach u will not be able to select "last 24 hr", "last 30 days" etc. U can only select To and From date from the date picker.

0 Karma

woodcock
Esteemed Legend

Like this:

| inputlookup lookup
| addinfo
| where (<Your Time Field Name Here> >= info_min_time AND <Your Time Field Name Here> <= info_max_time)

splunksan
Engager

@woodcock approach worked. thanks!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi sbimizry,
if you need to have _time, you should use a summary index not a lookup.
Bye.
Giuseppe

0 Karma

sbimizry
Engager

Can I do without him? If 'yes', then how?

0 Karma

gcusello
SplunkTrust
SplunkTrust

you should save in your lookup a timestamp in epochtime and then modify searches, but it isn't so easy.
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...