Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit our inputlookup search to only return data for the last 3 months?

splunker9999
Path Finder
‎08-19-2016 04:35 PM

Hi,

We are looking for a search which would give availability for the last 3 months.

We came come up with the search below that would give availability for the last 12 months. This search is built from an inputlookup file. Can you please advise how to enhance this search to only get data for the last 3 months?

|inputlookup availability_metrics.csv             |replace ".Net" with Windows,sphere with Sphere,"Hadoop - Platinum" with Hadoop,"IDN Teradata" with TeraData,"IDN DW - IQAX" with Sybase,analytics with SAS,idndm with "Data Management" IDN with "IDN Mainframe"|rename Product as Platform             | join type=left Platform [  |inputlookup sys_user_group.csv]               | eval Tier=if(isnull(Tier), "L2", Tier)   |stats values(Jan) as Jan values(Feb) as Feb values(Mar) as Mar values(Apr) as Apr values(May) as May values(Jun) as Jun values(Jul) as Jul values(Aug) as Aug values(Sep) as Sep values(Oct) as Oct values(Nov) as Nov values(Dec) as Dec by Platform

Thanks

0 Karma
Reply

sundareshr
Legend
‎08-21-2016 12:07 PM

Try this

|inputlookup availability_metrics.csv             |replace ".Net" with Windows,sphere with Sphere,"Hadoop - Platinum" with Hadoop,"IDN Teradata" with TeraData,"IDN DW - IQAX" with Sybase,analytics with SAS,idndm with "Data Management" IDN with "IDN Mainframe"|rename Product as Platform             | join type=left Platform [  |inputlookup sys_user_group.csv]               | eval Tier=if(isnull(Tier), "L2", Tier)   |stats values(Jan) as Jan values(Feb) as Feb values(Mar) as Mar values(Apr) as Apr values(May) as May values(Jun) as Jun values(Jul) as Jul values(Aug) as Aug values(Sep) as Sep values(Oct) as Oct values(Nov) as Nov values(Dec) as Dec by Platform | table Platform  [| gentimes start=-1 | eval search=strftime(relative_time(now(), "-60d"), "%b")." ".strftime(relative_time(now(), "-30d"), "%b")." ".strftime(now(), "%b") | table search]
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎08-21-2016 09:12 AM

Without a clue of what your data looks like, here's how I'd expect things to work:

| inputlookup availability_metrics.csv | where _time >= relative_time(now(), "-3mon") | ...

That would only keep rows with a timestamp of three months ago or greater. Continue your search as you normally would.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...