- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- Re: Lookup with range
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lookup with range
Hello Splunk
I will use lookup with earliest and latest like
I configured time based lookup but that not work, So i use:
earliest=relative_time(now(),"$time.earliest$") | where _time>earliest
Do you konow a solution without relative time, because with relative time i have multiple condition in my dasboards ?
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Tiskar - did you intend to close the question, or to accept one of the answers?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand you correctly, like this:
Your Regular Search WITHOUT earliest AND latest here [|inputlook YourLookupContainingBOTHearliestANDlatest | table earliest latest]
Do note that both earliest and latest in the lookup must be time_t integers (AKA epoch). If the format is anything else, you must convert them using strptime.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your dashboard can use a time picker to set tokens for a time range, and then you use
| where _time>=$token_for_earliest$ AND _time<$token_for_latest$
You can search around for more details in the docs (like the sample xml dashboards) and in answers like this one ...
https://answers.splunk.com/answers/591175/how-to-manipulate-a-timestamp-token-from-a-timesta.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you
But i alrady have a dashboard with time range picker, and i can't use | eval earliest_DB1 = strftime(@d, "%Y-%m-%d %H:%M:%S")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So i less my solution with relative time with multiple conditions like:
| eval earliest_DB1 = strptime(relative_time(now(), "@d"),.....)
where _time>earliest
Thnk youi can't accept my solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@TISKAR - I don't understand your comment. If you join the Splunk Slack channel, and go to the #dashboards subchannel, someone may be able to talk you through what you need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
can you elaborate on your challenge? what is it exactly that you are trying to solve?
Index This | I’m short for "configuration file.” What am I?
New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...
Your Guide to SPL2 at .conf24!
