Splunk Search

time-based inputookup

cramasta
Builder

I have a search that is exported to a csv file which is also set up to be a lookup table.

I can call the lookup table just fine and see all the contents of the csv file by using the following search

| inputlookup po1usertable 

What I am trying to do though is be able to specify a time range on the search so that the results which get returned match the time stamp range that is in every row of the csv file.

There is a timestamp that gets created before exporting the lookup table for each row based off the following eval statement.

| convert timeformat="%Y%m%d%H%M%S" ctime(time) AS thetime

example: 20110122221814

In my props file i have the following

[po1usertable]
filename = po1usertable.csv
time_field = thetime
time_format = "%Y%m%d%H%M%S"

However when specifying a time range it does not seem to be working as i get the entire csv contents in the results.

Im not sure if im doing something wrong or if Im misunderstanding the point of a time-based lookup.

Thanks for any help.

Tags (1)
1 Solution

araitz
Splunk Employee
Splunk Employee

The 'inputlookup' command is different than the 'lookup' command.

The former just inputs all the values from a given lookup, while the latter will actually 'look up' k/v pairs based on given fields in events.

Time-based lookups only apply to the 'lookup' command.

If you want to get the last 15 minutes of a lookup's data, try:

...| inputlookup po1usertable | where thetime > now()-900 | ...

View solution in original post

vskoryk_splunk
Splunk Employee
Splunk Employee

Heres one that can be controlled using the time picker..

| inputlookup
vladimir_inputlookup_timestamps.csv |
eval time=strptime(date, "%Y-%m-%d")
| addinfo | eval
info_max_time=if(info_max_time="+Infinity",9999999999,info_max_time) | where _time >= info_min_time AND
_time <= info_max_time | fields - info
* _time

araitz
Splunk Employee
Splunk Employee

The 'inputlookup' command is different than the 'lookup' command.

The former just inputs all the values from a given lookup, while the latter will actually 'look up' k/v pairs based on given fields in events.

Time-based lookups only apply to the 'lookup' command.

If you want to get the last 15 minutes of a lookup's data, try:

...| inputlookup po1usertable | where thetime > now()-900 | ...

araitz
Splunk Employee
Splunk Employee

No up vote? 🙂 🙂 🙂

0 Karma

araitz
Splunk Employee
Splunk Employee

meh, there are some good reasons to use lookups like this, at least until a future iteration of summary indexing fits those use cases.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Seems to me that if you need to do this, you should be indexing the file, not using it as a lookup?

0 Karma

cramasta
Builder

Thanks for the info I did not know that. So I take it there is no way to use the time picker for selecting the time range and it has to be specified in the search?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...