Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit our inputlookup search to only return data for the last 3 months?

splunker9999
Path Finder
‎08-19-2016 04:35 PM

Hi,

We are looking for a search which would give availability for the last 3 months.

We came come up with the search below that would give availability for the last 12 months. This search is built from an inputlookup file. Can you please advise how to enhance this search to only get data for the last 3 months?

|inputlookup availability_metrics.csv             |replace ".Net" with Windows,sphere with Sphere,"Hadoop - Platinum" with Hadoop,"IDN Teradata" with TeraData,"IDN DW - IQAX" with Sybase,analytics with SAS,idndm with "Data Management" IDN with "IDN Mainframe"|rename Product as Platform             | join type=left Platform [  |inputlookup sys_user_group.csv]               | eval Tier=if(isnull(Tier), "L2", Tier)   |stats values(Jan) as Jan values(Feb) as Feb values(Mar) as Mar values(Apr) as Apr values(May) as May values(Jun) as Jun values(Jul) as Jul values(Aug) as Aug values(Sep) as Sep values(Oct) as Oct values(Nov) as Nov values(Dec) as Dec by Platform

Thanks

0 Karma
Reply

sundareshr
Legend
‎08-21-2016 12:07 PM

Try this

|inputlookup availability_metrics.csv             |replace ".Net" with Windows,sphere with Sphere,"Hadoop - Platinum" with Hadoop,"IDN Teradata" with TeraData,"IDN DW - IQAX" with Sybase,analytics with SAS,idndm with "Data Management" IDN with "IDN Mainframe"|rename Product as Platform             | join type=left Platform [  |inputlookup sys_user_group.csv]               | eval Tier=if(isnull(Tier), "L2", Tier)   |stats values(Jan) as Jan values(Feb) as Feb values(Mar) as Mar values(Apr) as Apr values(May) as May values(Jun) as Jun values(Jul) as Jul values(Aug) as Aug values(Sep) as Sep values(Oct) as Oct values(Nov) as Nov values(Dec) as Dec by Platform | table Platform  [| gentimes start=-1 | eval search=strftime(relative_time(now(), "-60d"), "%b")." ".strftime(relative_time(now(), "-30d"), "%b")." ".strftime(now(), "%b") | table search]
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎08-21-2016 09:12 AM

Without a clue of what your data looks like, here's how I'd expect things to work:

| inputlookup availability_metrics.csv | where _time >= relative_time(now(), "-3mon") | ...

That would only keep rows with a timestamp of three months ago or greater. Continue your search as you normally would.

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...