Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Lookup Table Modifying _time and timepicker ignoring

chrisboy68
Contributor
‎01-24-2025 06:30 AM

Hi,

 

Struggling trying to figure out what I'm doing wrong. I have the following SPL

| inputlookup append=t kvstore
| eval _time = strptime(start_date, "%Y-%m-%d")
| eval readable_time = strftime(_time, "%Y-%m-%d %H:%M:%S")

start_date is YYYY-MM-DD, when I modify the _time, I can see it is changed via readable_time, but the timepicker still ignores the change. I can say search last 30 days and I get the events with _time before the range in the timepicker. Any ideas? 

Thanks!

Labels (3)
Labels
0 Karma
Reply

chrisboy68
Contributor
‎01-24-2025 07:32 AM

My use case requires strict relationships. 

| inputlookup append=t mylookup 
| eval _time = strptime(start_date, "%Y-%m-%d") 
| addinfo 
| rename info_* AS * 
| where _time >= min_time AND _time <= max_time

This works for my use case, bit clunkly. Thank all. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-24-2025 07:38 AM

OK, whether that's ugly or not is a matter of personal taste of course but be aware that it's a very unintuitive way to handle data and someone tasked with maintenance of this later might have hard time understanding this.

0 Karma
Reply

chrisboy68
Contributor
‎01-24-2025 06:51 AM

Ah ok.  I changed the definitiion to below. Its still not working, time picker is ignoring the time. Anything else I should do?

chrisboy68_0-1737730228086.png

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-24-2025 07:20 AM

Your timepicker will not work.

Timepicker is responsible for setting the earliest/latest parameters for the search. Those parameters only affect fetching events from indexes at the beginning of the search pipeline when the events are generated with search or tstats (maybe there's another command which they affect but I cannot think of any right now). They don't "filter" the events anywhere after that. Most importantly, if you're doing inputlookup or rest timepicker will not affect your search results in any way. And you can't do anything about it (maybe except some very very ugly bending over backwards with addinfo and filtering with where but that's not something any sane person would do.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-24-2025 06:37 AM

Hi @chrisboy68 ,

timekeeper works with events not with lookups.

if you need to use time with a lookup, use a lookup with "Configure time-based lookup" in Lookup Definition, or better, save the values in a index.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...