Splunk Search

How to use timepicker from a CSV lookup?

Communicator

I found the similar post here, but the solution doesn't seem to be working. I have a CSV file with a timestamp field that looks as follows:

my_time      name      count
----------   -----     -----
2017-10-13   abc       10
2017-11-13   xyz       20 

My search looks this:

| inputlookup mytable.csv | eval _time=strptime(my_time,"%Y-%m-%d")

No matter how I change the time range from the search window, it doesn't change the result. Any clues?

0 Karma
1 Solution

Champion

Check out the bottom answer on this recent answers post to see if it explains why what you're trying isn't working.

Adding the pertinent text of the answer in question to make it easier to find:

Lookups, even time-based lookups, don't (by default) enable searching by using the timepicker.

However, if you have a time in your lookup file, you can somewhat fake what you may be looking for with a search like:

| inputlookup server_purposes
| eval _time=strptime(start_time, "%Y-%m-%d")
| addinfo
| where _time>=info_min_time and _time<info_max_time

The addinfo command adds your earliest/latest times as chosen by the timepicker and puts them in the fields info_min_time and info_max_time, after which you can use the where command to search for _time values within that range.

View solution in original post

Champion

Check out the bottom answer on this recent answers post to see if it explains why what you're trying isn't working.

Adding the pertinent text of the answer in question to make it easier to find:

Lookups, even time-based lookups, don't (by default) enable searching by using the timepicker.

However, if you have a time in your lookup file, you can somewhat fake what you may be looking for with a search like:

| inputlookup server_purposes
| eval _time=strptime(start_time, "%Y-%m-%d")
| addinfo
| where _time>=info_min_time and _time<info_max_time

The addinfo command adds your earliest/latest times as chosen by the timepicker and puts them in the fields info_min_time and info_max_time, after which you can use the where command to search for _time values within that range.

View solution in original post

Contributor
0 Karma

Path Finder

I have same problem but can't get the solution I need..
I have indexed data with fields conferenceID "start Time" "End Time" I basically wants to get output by taking "Start Time" when ever I search using time-picker.
problem: it is always taking time and giving wrong results but after below query it gives 0 results.
index=test sourcetype=webex "testinc" | eval _time=strptime("Start Time","%Y-%m-%d")
| sort - _time
| addinfo
| where _time>=info
mintime AND (time<=infomaxtime OR infomaxtime="+Infinity")
|table ConferenceID "Start Time" "End Time"

0 Karma

Communicator

That's a time-based lookup, but this is not what I am looking for.

0 Karma

Champion

That's what the subject referenced, but I don't think that's actually what the poster wanted, and my answer addressed what I think your need is.

I've added that answer to my original answer here as well.

0 Karma

Communicator

Sorry, it works as what I expected. Thanks.

0 Karma