Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my inputlookup search to filter based on time difference?

goodsellt
Contributor
‎11-09-2016 08:21 AM

I'm attempting to filter my inputlookup command based on the amount of time that has passed between "now" (when the job is run) and a field in the table which is a integer representation of the epoch time.

I'm attempting to do something like:

|inputlookup my_kvstore where 2700<=now()-Last_PA_Send

However, I'm getting the error: Error in 'SearchOperator:inputcsv': The ‘2700<=now()-Last_PA_Send’ filter could not be verified. It may contain invalid operators, or could not be optimized for search results.

Any ideas how I could get a filter like this to work correctly and still utilize the performance benefits of a inputlookup filter?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

goodsellt
Contributor
‎11-14-2016 01:55 PM

Either of these two are the workaround, unfortunately you cannot use anything other than a limited set of operations for the where clause at the inputlookup level:

|inputlookup my_kvstore | where 2700<now()-Last_PA_Send

|inputlookup my_kvstore | eval myTime=now()-Last_PA_Send | where myTime<=2700

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dnitschke_splun
Splunk Employee
Splunk Employee
‎05-02-2020 08:20 AM

What about creating a subsearch that generates the constraints for the WHERE clause of the inputlookup command. Your requirement 2700<=now()-Last_PA_Send is equivalent to Last_PA_Send<=now()-2700.

| inputlookup my_kvstore WHERE [| makeresults count=1| eval max_delta=now()-2700 | eval search="(Last_PA_send<=" . max_delta . ")" | table search ]

0 Karma
Reply
Solved! Jump to solution
Solution

goodsellt
Contributor
‎11-14-2016 01:55 PM

Either of these two are the workaround, unfortunately you cannot use anything other than a limited set of operations for the where clause at the inputlookup level:

|inputlookup my_kvstore | where 2700<now()-Last_PA_Send

|inputlookup my_kvstore | eval myTime=now()-Last_PA_Send | where myTime<=2700
0 Karma
Reply
Solved! Jump to solution

pgreer_splunk
Splunk Employee
Splunk Employee
‎11-14-2016 12:53 PM

Have you tried something like the following:

|inputlookup my_kvstore | eval myTime=now()-Last_PA_Send | where myTime<=2700

stuffing the difference result into a new field might get you around that filter parsing issue.

0 Karma
Reply
Solved! Jump to solution

goodsellt
Contributor
‎11-14-2016 01:53 PM

Yea, that's my current work around since it appears you only can do a very limited set of operations within the |inputlookup framework.

0 Karma
Reply
Solved! Jump to solution

goodsellt
Contributor
‎11-09-2016 12:17 PM

Note, I do know that this will work as intended by doing:

|inputlookup my_kvstore | where 2700<now()-Last_PA_Send

Though I'm lead to believe there will be a performance impact once the size of the KV store grows arbitrarily large.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...