I have a search that is exported to a csv file which is also set up to be a lookup table.
I can call the lookup table just fine and see all the contents of the csv file by using the following search
| inputlookup po1usertable
What I am trying to do though is be able to specify a time range on the search so that the results which get returned match the time stamp range that is in every row of the csv file.
There is a timestamp that gets created before exporting the lookup table for each row based off the following eval statement.
| convert timeformat="%Y%m%d%H%M%S" ctime(time) AS thetime
In my props file i have the following
[po1usertable] filename = po1usertable.csv time_field = thetime time_format = "%Y%m%d%H%M%S"
However when specifying a time range it does not seem to be working as i get the entire csv contents in the results.
Im not sure if im doing something wrong or if Im misunderstanding the point of a time-based lookup.
Thanks for any help.
The 'inputlookup' command is different than the 'lookup' command.
The former just inputs all the values from a given lookup, while the latter will actually 'look up' k/v pairs based on given fields in events.
Time-based lookups only apply to the 'lookup' command.
If you want to get the last 15 minutes of a lookup's data, try:
...| inputlookup po1usertable | where thetime > now()-900 | ...
Thanks for the info I did not know that. So I take it there is no way to use the time picker for selecting the time range and it has to be specified in the search?
Heres one that can be controlled using the time picker..
eval time=strptime(date, "%Y-%m-%d")
| addinfo | eval
infomaxtime=if(infomaxtime="+Infinity",9999999999,infomaxtime) | where _time >= infomintime AND
_time <= infomaxtime | fields - info* _time