Solved: filter inputlookup table by UI specified timerange

BradL · ‎01-14-2015

I've been searching and experimenting for quite a while and I suspect I'm missing something simple....

I have a CSV lookup file with an epoch time field ("timestamp").

In my search string, I use inputlookup and I want to filter it, like this:

...| inputlookup my.csv | where timestamp >= start AND timestamp <= end

but the values I want to use for "start" and "end" I want to be the values that come from the UI in the search App (Last 24 hours, etc.)

I would expect these to translate to some sort of pre-defined variables, but I haven't been able to track them down.

I've also tried:

| inputlookup my.csv | eval _time=timestamp

where I hoped the predefined range would apply, but it didn't filter the lookup at all.

Is there a way I can get the UI generated search range to use in my where clause?

Thanks!

somesoni2 · ‎01-14-2015

Give this a try

| inputlookup my.csv | where timestamp >= [| gentimes start=-1 | addinfo | eval search=info_min_time | table search] AND timestamp <=[| gentimes start=-1 | addinfo | eval search=info_max_time | table search]

View solution in original post

somesoni2 · ‎01-14-2015

Give this a try

| inputlookup my.csv | where timestamp >= [| gentimes start=-1 | addinfo | eval search=info_min_time | table search] AND timestamp <=[| gentimes start=-1 | addinfo | eval search=info_max_time | table search]

filter inputlookup table by UI specified timerange

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life