Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit our inputlookup search to only return data for the last 3 months?

splunker9999
Path Finder
‎08-19-2016 04:35 PM

Hi,

We are looking for a search which would give availability for the last 3 months.

We came come up with the search below that would give availability for the last 12 months. This search is built from an inputlookup file. Can you please advise how to enhance this search to only get data for the last 3 months?

|inputlookup availability_metrics.csv             |replace ".Net" with Windows,sphere with Sphere,"Hadoop - Platinum" with Hadoop,"IDN Teradata" with TeraData,"IDN DW - IQAX" with Sybase,analytics with SAS,idndm with "Data Management" IDN with "IDN Mainframe"|rename Product as Platform             | join type=left Platform [  |inputlookup sys_user_group.csv]               | eval Tier=if(isnull(Tier), "L2", Tier)   |stats values(Jan) as Jan values(Feb) as Feb values(Mar) as Mar values(Apr) as Apr values(May) as May values(Jun) as Jun values(Jul) as Jul values(Aug) as Aug values(Sep) as Sep values(Oct) as Oct values(Nov) as Nov values(Dec) as Dec by Platform

Thanks

0 Karma
Reply

sundareshr
Legend
‎08-21-2016 12:07 PM

Try this

|inputlookup availability_metrics.csv             |replace ".Net" with Windows,sphere with Sphere,"Hadoop - Platinum" with Hadoop,"IDN Teradata" with TeraData,"IDN DW - IQAX" with Sybase,analytics with SAS,idndm with "Data Management" IDN with "IDN Mainframe"|rename Product as Platform             | join type=left Platform [  |inputlookup sys_user_group.csv]               | eval Tier=if(isnull(Tier), "L2", Tier)   |stats values(Jan) as Jan values(Feb) as Feb values(Mar) as Mar values(Apr) as Apr values(May) as May values(Jun) as Jun values(Jul) as Jul values(Aug) as Aug values(Sep) as Sep values(Oct) as Oct values(Nov) as Nov values(Dec) as Dec by Platform | table Platform  [| gentimes start=-1 | eval search=strftime(relative_time(now(), "-60d"), "%b")." ".strftime(relative_time(now(), "-30d"), "%b")." ".strftime(now(), "%b") | table search]
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎08-21-2016 09:12 AM

Without a clue of what your data looks like, here's how I'd expect things to work:

| inputlookup availability_metrics.csv | where _time >= relative_time(now(), "-3mon") | ...

That would only keep rows with a timestamp of three months ago or greater. Continue your search as you normally would.

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...