pass time filters from lookup to saved search or m...

vinothn · ‎03-24-2021

Hi team,

I am trying to send earliest and latest time values from lookup to saved search but i am not able to get results for the same.

Lookup:

| inputlookup temp.csv

Result:

Search with direct values:

| inputlookup temp.csv
| append [search index=abc earliest="1607395500.000" latest="1607396400.000"]

Result:

Getting proper result.

search using lookup fields:

| inputlookup temp.csv
| append [search index=abc earliest=arg1 latest=arg2]

Result:

Invalid value "arg1" for time term 'earliest' and "arg2" for time term 'latest'

Note: Let me know if you need any other from my side.

richgalloway · ‎03-24-2021

What is the desired result of this query?

I see two problems so far:

1) inputlookup returns 3 values for arg1 and arg2, but the earliest and latest options only accept one value (each).

2) The search command does not accept fields on the right side of the =.

If each row in the lookup file is supposed to generate a search then try this:

| inputlookup temp.csv
| map search="index=abc earliest=$arg1$ latest=$arg2$"

---
If this reply helps you, Karma would be appreciated.

pass time filters from lookup to saved search or macro or search