Solved: Re: How to use timepicker from a CSV lookup?

splunkrocks2014 · ‎02-14-2018

I found the similar post here, but the solution doesn't seem to be working. I have a CSV file with a timestamp field that looks as follows:

my_time      name      count
----------   -----     -----
2017-10-13   abc       10
2017-11-13   xyz       20

My search looks this:

| inputlookup mytable.csv | eval _time=strptime(my_time,"%Y-%m-%d")

No matter how I change the time range from the search window, it doesn't change the result. Any clues?

micahkemp · ‎02-14-2018

Check out the bottom answer on this recent answers post to see if it explains why what you're trying isn't working.

Adding the pertinent text of the answer in question to make it easier to find:

Lookups, even time-based lookups, don't (by default) enable searching by using the timepicker.

However, if you have a time in your lookup file, you can somewhat fake what you may be looking for with a search like:

| inputlookup server_purposes
| eval _time=strptime(start_time, "%Y-%m-%d")
| addinfo
| where _time>=info_min_time and _time<info_max_time

The addinfo command adds your earliest/latest times as chosen by the timepicker and puts them in the fields info_min_time and info_max_time, after which you can use the where command to search for _time values within that range.

View solution in original post

micahkemp · ‎02-14-2018

Check out the bottom answer on this recent answers post to see if it explains why what you're trying isn't working.

Adding the pertinent text of the answer in question to make it easier to find:

Lookups, even time-based lookups, don't (by default) enable searching by using the timepicker.

However, if you have a time in your lookup file, you can somewhat fake what you may be looking for with a search like:

| inputlookup server_purposes
| eval _time=strptime(start_time, "%Y-%m-%d")
| addinfo
| where _time>=info_min_time and _time<info_max_time

The addinfo command adds your earliest/latest times as chosen by the timepicker and puts them in the fields info_min_time and info_max_time, after which you can use the where command to search for _time values within that range.

grittonc · ‎10-23-2018

Very helpful. Explained in more detail here: https://www.splunk.com/blog/2016/09/16/i-cant-make-my-time-range-picker-pick.html

splunkuseradmin · ‎06-19-2019

I have same problem but can't get the solution I need..
I have indexed data with fields conferenceID "start Time" "End Time" I basically wants to get output by taking "Start Time" when ever I search using time-picker.
problem: it is always taking _time and giving wrong results but after below query it gives 0 results.
index=test sourcetype=webex "testinc" | eval _time=strptime("Start Time","%Y-%m-%d")
| sort - _time
| addinfo
| where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")
|table ConferenceID "Start Time" "End Time"

splunkrocks2014 · ‎02-15-2018

That's a time-based lookup, but this is not what I am looking for.

micahkemp · ‎02-15-2018

That's what the subject referenced, but I don't think that's actually what the poster wanted, and my answer addressed what I think your need is.

I've added that answer to my original answer here as well.

splunkrocks2014 · ‎02-15-2018

Sorry, it works as what I expected. Thanks.

How to use timepicker from a CSV lookup?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?