Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit our inputlookup search to only return data for the last 3 months?

splunker9999
Path Finder
‎08-19-2016 04:35 PM

Hi,

We are looking for a search which would give availability for the last 3 months.

We came come up with the search below that would give availability for the last 12 months. This search is built from an inputlookup file. Can you please advise how to enhance this search to only get data for the last 3 months?

|inputlookup availability_metrics.csv             |replace ".Net" with Windows,sphere with Sphere,"Hadoop - Platinum" with Hadoop,"IDN Teradata" with TeraData,"IDN DW - IQAX" with Sybase,analytics with SAS,idndm with "Data Management" IDN with "IDN Mainframe"|rename Product as Platform             | join type=left Platform [  |inputlookup sys_user_group.csv]               | eval Tier=if(isnull(Tier), "L2", Tier)   |stats values(Jan) as Jan values(Feb) as Feb values(Mar) as Mar values(Apr) as Apr values(May) as May values(Jun) as Jun values(Jul) as Jul values(Aug) as Aug values(Sep) as Sep values(Oct) as Oct values(Nov) as Nov values(Dec) as Dec by Platform

Thanks

0 Karma
Reply

sundareshr
Legend
‎08-21-2016 12:07 PM

Try this

|inputlookup availability_metrics.csv             |replace ".Net" with Windows,sphere with Sphere,"Hadoop - Platinum" with Hadoop,"IDN Teradata" with TeraData,"IDN DW - IQAX" with Sybase,analytics with SAS,idndm with "Data Management" IDN with "IDN Mainframe"|rename Product as Platform             | join type=left Platform [  |inputlookup sys_user_group.csv]               | eval Tier=if(isnull(Tier), "L2", Tier)   |stats values(Jan) as Jan values(Feb) as Feb values(Mar) as Mar values(Apr) as Apr values(May) as May values(Jun) as Jun values(Jul) as Jul values(Aug) as Aug values(Sep) as Sep values(Oct) as Oct values(Nov) as Nov values(Dec) as Dec by Platform | table Platform  [| gentimes start=-1 | eval search=strftime(relative_time(now(), "-60d"), "%b")." ".strftime(relative_time(now(), "-30d"), "%b")." ".strftime(now(), "%b") | table search]
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎08-21-2016 09:12 AM

Without a clue of what your data looks like, here's how I'd expect things to work:

| inputlookup availability_metrics.csv | where _time >= relative_time(now(), "-3mon") | ...

That would only keep rows with a timestamp of three months ago or greater. Continue your search as you normally would.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...