Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

inputlook

kishan2356
Explorer
‎09-19-2021 08:16 PM

I have a inputlookup search where I am looking to do a current count vs four week average count. My search is set up so it uses : | inputlookup count.csv | bin _time span=5m 

I need my search to display data from prior four weeks like below.

_timecLast WeekTwo Weeks Three Weeks AgoFour weeks Ago 
9/19/2021 15:10265(Count from 9/12/2021 15:10)(Count from 9/05/2021 15:10)   
9/19/2021 15:15362(Count from 9/12/2021 15:15)(Count from 9/05/2021 15:15)   
9/19/2021 15:20589(Count from 9/12/2021 15:20)(Count from 9/05/2021 15:20)   
9/19/2021 15:25700(Count from 9/12/2021 15:25)(Count from 9/05/2021 15:25)   

 

The problem is that I would normally use earliest and latest ( but these commands do not work with inputlooks. If anyone has solutions that work for inputlook it would be great!

Labels (5)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-19-2021 10:04 PM

I don't quite understand - what exactly does your lookup contain? Can you provide us with a sample? We already have desired output but we don't know the input.

0 Karma
Reply

kishan2356
Explorer
‎09-20-2021 06:32 AM

The lookup only contains counts as seen in the table I have in the original post. My problem is I can't use earliest and latest commands to view historical data week by week.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-20-2021 07:43 AM

I still don't understand what are the raw contents of the lookup. Anyway, doesn't ( | inputlookup | where _time<=something AND _time>=something) work?

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-19-2021 09:04 PM

You can add the search window time to the event using addinfo and then filter the events on the _time value in your lookup, e.g.

| addinfo
| where _time>=info_min_time AND _time<=info_max_time

 so, if your search window is last 4 weeks, then this will return the events from the last 4 weeks only from the lookup.

Is that what you wanted?

If this is part of a dashboard search, then you could use the tokens from your time selector, e.g.

| inputlookup count.csv where _time>=$timerange.earliest$ AND _time<=$timerange.latest$

 

 

0 Karma
Reply

kishan2356
Explorer
‎09-20-2021 06:22 AM
Hi bowesmana,
 
 How can I use 
| where _time>=info_min_time AND _time<=info_max_time

 to only display data from last 7 days (one week) if inputlook does not accept earliest and latest?

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-20-2021 03:03 PM

Your original post implied the lookup contained _time as a field. If you do not have a time field in your lookup then you can't filter by time. If you have a field called _time in your lookup, then do as I suggest in my previous post. There is a 3rd option which will make a fixed 7 day test (again assuming you have a time field in your lookup)

| inputlookup count.csv
| where _time>=relative_time(now(), "-7d@d") AND _time<=now()

 

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...