Splunk Search
Highlighted

time-based inputookup

Builder

I have a search that is exported to a csv file which is also set up to be a lookup table.

I can call the lookup table just fine and see all the contents of the csv file by using the following search

| inputlookup po1usertable 

What I am trying to do though is be able to specify a time range on the search so that the results which get returned match the time stamp range that is in every row of the csv file.

There is a timestamp that gets created before exporting the lookup table for each row based off the following eval statement.

| convert timeformat="%Y%m%d%H%M%S" ctime(time) AS thetime

example: 20110122221814

In my props file i have the following

[po1usertable]
filename = po1usertable.csv
time_field = thetime
time_format = "%Y%m%d%H%M%S"

However when specifying a time range it does not seem to be working as i get the entire csv contents in the results.

Im not sure if im doing something wrong or if Im misunderstanding the point of a time-based lookup.

Thanks for any help.

Tags (1)
Highlighted

Re: time-based inputookup

Champion

The 'inputlookup' command is different than the 'lookup' command.

The former just inputs all the values from a given lookup, while the latter will actually 'look up' k/v pairs based on given fields in events.

Time-based lookups only apply to the 'lookup' command.

If you want to get the last 15 minutes of a lookup's data, try:

...| inputlookup po1usertable | where thetime > now()-900 | ...

View solution in original post

Highlighted

Re: time-based inputookup

Builder

Thanks for the info I did not know that. So I take it there is no way to use the time picker for selecting the time range and it has to be specified in the search?

0 Karma
Highlighted

Re: time-based inputookup

Legend

Seems to me that if you need to do this, you should be indexing the file, not using it as a lookup?

0 Karma
Highlighted

Re: time-based inputookup

Champion

meh, there are some good reasons to use lookups like this, at least until a future iteration of summary indexing fits those use cases.

0 Karma
Highlighted

Re: time-based inputookup

Champion

No up vote? 🙂 🙂 🙂

0 Karma
Highlighted

Re: time-based inputookup

Explorer

Heres one that can be controlled using the time picker..

| inputlookup
vladimirinputlookuptimestamps.csv |
eval time=strptime(date, "%Y-%m-%d")
| addinfo | eval
info
maxtime=if(infomaxtime="+Infinity",9999999999,infomaxtime) | where _time >= infomintime AND
_time <= info
maxtime | fields - info* _time

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.