Solved: How do I filter events by lookup time?

imheejin · ‎04-22-2021

I have a lookup table like in splunk this:

earliest_time	latest_time	S_NO	SRC_IP
3/1/2021	4/1/2021	E1002	10.10.10.10

I want to exclude the SRC_IP within time(earliest_time and latest_time) from the search.

How could I write the splunk sql to implement this?

ITWhisperer · ‎04-23-2021

Try something like this

your search
| lookup lookup-table-name IP OUTPUT earliest_time latest_time
| eval earliest_time=strptime(earliest_time,"%m/%d/%Y)
| eval latest_time=strptime(latest_time,"%m/%d/%Y)
| where _time < earliest_time OR _time > latest_time

View solution in original post

ITWhisperer · ‎04-23-2021

Try something like this

your search
| lookup lookup-table-name IP OUTPUT earliest_time latest_time
| eval earliest_time=strptime(earliest_time,"%m/%d/%Y)
| eval latest_time=strptime(latest_time,"%m/%d/%Y)
| where _time < earliest_time OR _time > latest_time

How do I filter events by lookup time?

lookup

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?

How do I filter events by lookup time?

lookup

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I