Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use values from inputlookup for date comparison?

Jochen_Widmaier
Engager
‎09-24-2021 05:32 AM

Hi,

I want to create a dashboard, where a user has a drop down input to select a named time frame ($value$). The start and end date of the time frame are defined in a lookup table. 

Each of my events has a milestone date. I want to filter to those events where the milestone date is between the start and end date from the lookup table.

I tried something like this:

index=my_index
| where milestone_date_epoch > [inputlookup mapping_lookup WHERE time_frame = $value$
    | eval startdate = strptime(Start_date, "%Y-%m-%d")
    | return startdate]
| where milestone_date_epoch < [inputlookup mapping_lookup WHERE time_frame = $value$
    | eval enddate = strptime(End_date, "%Y-%m-%d")
    | return enddate]

But I get an error message 😞 Can you help me to get this fixed?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-24-2021 08:35 AM 
index=my_index
| where milestone_date_epoch > [inputlookup mapping_lookup WHERE time_frame = $value$
    | head 1
    | eval query = strptime(Start_date, "%Y-%m-%d")
    | table query
    | format]
| where milestone_date_epoch < [inputlookup mapping_lookup WHERE time_frame = $value$
    | head 1
    | eval query = strptime(End_date, "%Y-%m-%d")
    | table query
    | format]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Jochen_Widmaier
Engager
‎09-24-2021 05:51 AM

The error message says:

Error in 'where' command: The operator at '="1630879200.000000"' is invalid.

I assume that the number is the epoch I have evaluated from the inputlookup. 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-24-2021 06:52 AM

Try something like this

index=my_index
| where milestone_date_epoch > [inputlookup mapping_lookup WHERE time_frame = $value$
    | eval query = strptime(Start_date, "%Y-%m-%d")
    | format]
| where milestone_date_epoch < [inputlookup mapping_lookup WHERE time_frame = $value$
    | eval query = strptime(End_date, "%Y-%m-%d")
    | format]
0 Karma
Reply
Solved! Jump to solution

Jochen_Widmaier
Engager
‎09-24-2021 08:27 AM

I tried your proposal. From the Splunk documentation I would have guessed it needs to work now (thank you for pointing me there, I didn't now the format command earlier). But unfortunately I get a new error message:

Error in 'where' command: Type checking failed. 'AND' only takes boolean arguments.

But I don't have any AND in my query?!?

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-24-2021 08:35 AM 
index=my_index
| where milestone_date_epoch > [inputlookup mapping_lookup WHERE time_frame = $value$
    | head 1
    | eval query = strptime(Start_date, "%Y-%m-%d")
    | table query
    | format]
| where milestone_date_epoch < [inputlookup mapping_lookup WHERE time_frame = $value$
    | head 1
    | eval query = strptime(End_date, "%Y-%m-%d")
    | table query
    | format]
0 Karma
Reply
Solved! Jump to solution

Jochen_Widmaier
Engager
‎09-26-2021 11:03 PM

Thank you very much @ITWhisperer . Now it is working fine 👍. You are a true legend.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-24-2021 05:44 AM

What error message are you getting?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of Splunk APM’s and Splunk RUM’s streaming infrastructure in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...