Solved: filter inputlookup table by UI specified timerange

BradL · ‎01-14-2015

I've been searching and experimenting for quite a while and I suspect I'm missing something simple....

I have a CSV lookup file with an epoch time field ("timestamp").

In my search string, I use inputlookup and I want to filter it, like this:

...| inputlookup my.csv | where timestamp >= start AND timestamp <= end

but the values I want to use for "start" and "end" I want to be the values that come from the UI in the search App (Last 24 hours, etc.)

I would expect these to translate to some sort of pre-defined variables, but I haven't been able to track them down.

I've also tried:

| inputlookup my.csv | eval _time=timestamp

where I hoped the predefined range would apply, but it didn't filter the lookup at all.

Is there a way I can get the UI generated search range to use in my where clause?

Thanks!

somesoni2 · ‎01-14-2015

Give this a try

| inputlookup my.csv | where timestamp >= [| gentimes start=-1 | addinfo | eval search=info_min_time | table search] AND timestamp <=[| gentimes start=-1 | addinfo | eval search=info_max_time | table search]

View solution in original post

somesoni2 · ‎01-14-2015

Give this a try

| inputlookup my.csv | where timestamp >= [| gentimes start=-1 | addinfo | eval search=info_min_time | table search] AND timestamp <=[| gentimes start=-1 | addinfo | eval search=info_max_time | table search]

filter inputlookup table by UI specified timerange

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

How Edge Processor's Durable Queue Works

Announcing Modern Navigation: A New Era of Splunk User Experience

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Join the Conversation