Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use a timestamp value from a lookup.csv as the earliest time marker in a report search?

auzark
Communicator
‎09-27-2022 10:28 PM

I am trying to use a timestamp field from a lookup.csv as the earliest time marker, but it will not set the value of earliest when the report runs.   Can you help, please.  The earliest and latest always use the defaul preset value.

index=a4_designeng_generic_app_audit_prd sourcetype=cba:designeng:nonstop:syslog

[| inputlookup  Production_Health_Status.csv
   | tail 1
    | eval earliest=Status_Check_Timestamp    <--- this value is being set each time the report runs.
    | fields earliest
]

 

! Invalid value "09/28/2022 13:06:00" for time term 'earliest'

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-27-2022 11:35 PM

Hi @auzark,

timestamp is in epochtime, your value from lookup doesn't, you have to convert it:

index=a4_designeng_generic_app_audit_prd sourcetype=cba:designeng:nonstop:syslog
[| inputlookup  Production_Health_Status.csv
   | tail 1
    | eval earliest=strptime(Status_Check_Timestamp,"%m/%d/%Y %H:%M:%S")
    | fields earliest
]

Ciao.

Giuseppe

Reply

auzark
Communicator
‎09-28-2022 02:36 AM

Hi  Giuseppe,

Thanks for  your suggestion. I no longer get the invalid value error, however the "earliest" time modifier does not use the value of Status_Check_Timestamp from my lookup.csv????   It uses the value from preset (ie... last 15 min)

Sample value of Status_Check_Timestamp - 09/28/2022 18:56:00

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-28-2022 02:50 AM

Hi @auzark,

what's the result of the subsearch?

it should be only one field: earliest.

Ciao.

Giuseppe

0 Karma
Reply

auzark
Communicator
‎10-03-2022 05:28 PM

Hi Giuseppe,

My apologies for my delayed response.

The results of the sub search is the value of "earliest", however, I am wanting to use this value as the search time window for a report.

earliest=Status_Check_Timestamp  latest=(now)

 

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-04-2022 08:53 AM

Hi @auzark,

if you rename your subsearch fields as earliest and latest, and you use the fields command (that says use only these fields for the correlation) they are used in the main search as time period:

index=a4_designeng_generic_app_audit_prd sourcetype=cba:designeng:nonstop:syslog
[| inputlookup  Production_Health_Status.csv
   | tail 1
    | eval earliest=strptime(Status_Check_Timestamp,"%m/%d/%Y %H:%M:%S"), latest=now()
    | fields earliest latest
]

 Ciao.

Giuseppe

Reply

auzark
Communicator
‎10-04-2022 06:14 PM

Hi Giuseppe,

I've used that exact syntax and got the below error.

index=a4_designeng_generic_app_audit_prd sourcetype=cba:designeng:nonstop:syslog
[| inputlookup NonStop_Production_Health_Status.csv
| tail 1
| eval earliest=strptime(Status_Check_Timestamp,"%m/%d/%Y %H:%M:%S"), latest=now()
| fields earliest latest
]

Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side.
The search job has failed due to an error. You may be able view the job in the 
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-04-2022 11:55 PM

Hi @auzark,

at first check if the subsearch returns the correct values (two timestamps in epochtime).

then check if there's a space before the square parenthesis of the subsearch.

At least check that the field name Status_Check_Timestamp is correct and check its format.

Ciao.

Giuseppe

 

Reply

auzark
Communicator
‎10-05-2022 12:30 AM

Hi Giuseppe,

I have fixed my issue by using the | return command as per below.

index=a4_designeng_generic_app_audit_prd sourcetype=cba:designeng:nonstop:syslog

[| inputlookup NonStop_Production_Health_Status.csv

| tail 1

| eval earliest=strptime(Status_Check_Timestamp,"%m/%d/%Y %H:%M:%S"), latest=now()

| fields earliest latest

| return earliest=$earliest

]

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-05-2022 01:14 AM

Hi @auzark,

it should work also without return command.

Anyway, I'm happy that you solved your issue.

If one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors;-)

Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-04-2022 08:23 PM

That's odd - can you look at the search.log in the job inspector and look to see if there are any errors or if the search parser is showing something that doesn't look right.

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...