Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter on KV Store lookup time-based fields using a time picker?

nawneel
Communicator
‎05-05-2016 02:41 AM

I have a large data set in my KV Store collections. These fields also contains time specific fields. I would like to perform filtering on these time based fields by time picker. Any suggestions for implementation.

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-05-2016 08:24 AM

Like this:

| inputlookup MyKVstoreName | addinfo | where MyTimeField >= info_min_time AND MyTimeField <= info_max_time

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-05-2016 08:24 AM

Like this:

| inputlookup MyKVstoreName | addinfo | where MyTimeField >= info_min_time AND MyTimeField <= info_max_time
Reply
Solved! Jump to solution

highsplunker
Contributor
‎10-04-2024 07:06 AM

worked for me. beautiful solution. thanks a lot

0 Karma
Reply
Solved! Jump to solution

nawneel
Communicator
‎05-05-2016 10:45 PM

This Works wonders . thanks @woodcock

0 Karma
Reply
Solved! Jump to solution

tnesavich_splun
Splunk Employee
Splunk Employee
‎01-16-2017 01:27 PM

Perfect Gregg! Thanks for this. Elegant and effective.

0 Karma
Reply
Solved! Jump to solution

frechette
Explorer
‎04-30-2020 03:19 PM

This isn't elegant, it's inefficient. You should be able to filter by time before results are ever brought into the search pipeline.

0 Karma
Reply
Solved! Jump to solution

dnitschke_splun
Splunk Employee
Splunk Employee
‎05-02-2020 07:52 AM

You can also add the time filter into the WHERE clause of inputlookup, e.g.

| inputlookup MyKVstoreName WHERE
[| makeresults count=1
| addinfo
| eval info_max_time=if(info_max_time=="+Infinity", 2147483647, info_max_time)
| eval search="( (MyTimeField>=" . info_min_time . ") AND (" . "MyTimeField<" . info_max_time . ") )"
| table search ]

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-17-2018 06:57 PM

I am full of IT, ask anybody.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...