Splunk Search

Is it possible to use a value in a lookup in order to automatically adjust the time range a scheduled search runs?

adamsmith47
Communicator

I have a scheduled report, which is generating a lookup table. In this lookup csv, there is a field called "adjust", which will only ever have a value of 0 or 1.

I'm building a second scheduled report, and I'd like the time range of this scheduled report to be dynamic, based on the value of the "adjust" field from the lookup csv above.

Rough example: earliest=@mon-"adjust"mon latest=@mon+1mon-"adjust"mon

Therefore if "adjust"=0 the range will be this month, and if "adjust"=1 the range will be last month.

Any ideas?

When I try:

earliest=@mon-[|inputlookup my_lookup.csv | return adjust]mon latest=@mon+1mon-[|inputlookup my_lookup.csv | return adjust]mon

I get the error:

Invalid value "@mon-" for time term 'earliest'

Thanks for any help!

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try like this

your base search [| inputlookup my_lookup.csv | eval earliest="@mon-".adjust."mon" | eval latest="@mon+1mon-".adjust."mon" | table earliest latest ] | rest of the search

OR

your base search [| inputlookup my_lookup.csv | eval earliest="@mon-".adjust."mon" | eval latest="@mon+1mon-".adjust."mon" | table earliest latest | format "" "" "" "" "" ""] | rest of the search

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try like this

your base search [| inputlookup my_lookup.csv | eval earliest="@mon-".adjust."mon" | eval latest="@mon+1mon-".adjust."mon" | table earliest latest ] | rest of the search

OR

your base search [| inputlookup my_lookup.csv | eval earliest="@mon-".adjust."mon" | eval latest="@mon+1mon-".adjust."mon" | table earliest latest | format "" "" "" "" "" ""] | rest of the search

adamsmith47
Communicator

Your second suggestion works beautifully. We wouldn't have come up with that on our own. Thank you!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...