Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Search with Time Using a Lookup?

atebysandwich
Path Finder
‎03-13-2023 09:09 AM

I have a lookup of hosts with a field Last_Scan_Datetime and the field values were formated using strftime(_time, "%Y-%m-%d-%H.%M.%S") . How would I go upon searching for hosts that were scanned in the last 3 days? 

Everything I've found regarding searching with time has involved searching the index. 

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-13-2023 05:31 PM

You can make a time based lookup definition where you define the settings as

bowesmana_0-1678753775497.png

Then when you search your events, assuming your host field is called host, you do

 

| lookup your_lookup_definition host OUTPUT Last_Scan_Datetime as found_Last_Scan_Datetime
| where isnull(found_Last_Scan_Datetime)

 

which will return you all the hosts where the Last_Scan_Datetime field is older than 3 days ago from the _time field in the event for that host

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-13-2023 10:22 AM

Looking up times is not straightforward.  For the most part, lookups do exact string matches (except for wildcard and CIDR matching, if defined).  Timestamps are even trickier since Splunk can't do much with them in string format.  That means something like

| inputlookup mylookup.csv where Last_Scan_Datetime > someValue

won't work.  You'd have to convert the timestamp to epoch form and then compare it.

| inputlookup mylookup.csv
| eval epoch = strptime(Last_Scan_Datetime, "%Y-%m-%d-%H:%M:%S")
| where epoch > relative_time(now(), "-3d")

This assumes your use case works with the inputlookup command.  I know of no similar solution using lookup.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...