Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Limit timechart from lookup table

humanBeing
Engager
‎10-15-2021 06:46 AM

Hello all,

I'm using a lookup table with a _time field to create a timechart which works great.  

However, the lookup table has data for say 90 days and I don't always want the timechart to be for the full 90 days.  

How can I limit my timechart to 30 days from my lookup table that has 90 days worth of data without deleting the extra 60 days?  

The _time field is in already in the format %y-%m-%d %H:%M

I've tried 
|inputlookup mylookupfile where earliest=-30d

Thank you!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2021 07:54 AM

The queries allowed in the where clause of inputlookup are different from those allowed in the search command.  In particular, "earliest" in search maps to the _time field whereas in inputlookup it refers to the "earliest" field.

A further complication is inputlookup where does not recognize time modifiers.

One workaround is to read the entire lookup, convert _time to epoch form, then compare the converted time to the timestamp 30 days old.

| inputlokoup mylookup
| eval eTime=strptime(_time, "%Y-%m-%d %H:%%M")
| where eTime > relative_time(now(), "-30d")
| fields - eTime
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2021 07:54 AM

The queries allowed in the where clause of inputlookup are different from those allowed in the search command.  In particular, "earliest" in search maps to the _time field whereas in inputlookup it refers to the "earliest" field.

A further complication is inputlookup where does not recognize time modifiers.

One workaround is to read the entire lookup, convert _time to epoch form, then compare the converted time to the timestamp 30 days old.

| inputlokoup mylookup
| eval eTime=strptime(_time, "%Y-%m-%d %H:%%M")
| where eTime > relative_time(now(), "-30d")
| fields - eTime
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...