![]() ![]() In most cases you can use the WHERE clause in the from command instead of using the where command separately. See Predicate expressions in the SPL2 Search Manual. ģ) You should be able to perform where clause in the base inputlookup command itself, rather than a separate pipe (which may lead to poor query performance based on the size of lookup file). yeah thats normal, because you will still get events from indexmaster-data-lookups sourcetype'itop:viewsplunkassets' if you apply a wrong event code to the first part of your code :D As for the time, which one occurs first You can use earliest and latest based on that to have only this time t. The where command expects a predicate expression. Refer to one of my answers for how to do this. If it includes terms that will function as catch-all filters, then there's your problem. ![]() This is the filter that the main search will use. I have to do this because, in addition to the Timestamp, I also have to search events by indextime and put these dates in a drop-down list, but I cannot load the list at search-time because there are too many. Once you have a time field, you can re-map it to the time field, which should allow you to use search earliest-24hh (you dont need latestnow(), Splunk. You can check the resulting search string by running a variant of the subsearch on its own and adding format at the end: inputlookup Websites.CSV rename Websites as query format. Here we will apply a time input filter with the logouttime field. After this, select an index or create a new index and add data and start searching. Now time field value will be the same as timestamp value in your CSV file. index'timeevent' sourcetype'csv' stats count by logouttime eid. You can pass subsearch results into earliest and latest like this: indexinternal stats count eval earliest'-hm' fields earliest stats count eval latest'now' fields latest The two subsearches can be arbitrary searches that somehow compute the timerange. In setting -> Add Data -> Upload, select your CSV file. Since csv file will have string time, ensure that this specific format is used to allow string time comparison (otherwise comparison will fail and you would need different approach to use epoch time instead).Ģ) Since time picker may not always have epoch time, it rather has the relative time with snap to notation, hence you would need to deduce the string time for selected earliest and latest time through time input change event handler. I need to extract the first and the last dates of a period to use to filter the values of a lookup table containing a list of dates. Now we will try to apply a time input filter with the logouttime field. ![]() In order to pass time from Time Picker over to your inputlookup, you will require two things:ġ) Convert epoch time to string time in YYYY/MM/DD HH:MM:SS. Can you add the _time field values from your lookup file mylookup.csv? Your life would be easy if you store time in YYYY/MM/DD HH:MM:SS format. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |