I'm trying to set up a kvstore lookup where the results from inputlookup can be filtered using the regular time-pickers available on the web GUI or with the latest= and earliest= modifiers.
$ collections.conf
[testkv]
enforceTypes = true
field.action = string
field.ts = time
$ transforms.conf
[testkv]
external_type = kvstore
fields_list = action, ts
time_field = ts
;time_format = %s.%3N
;time_format = %s.%Q
The ts field contains a UNIX epoch with milliseconds so 10+3 digits.
Regardless what I select "Last 15 minutes", "Last 4 hours" I always get the whole kvstore content.
First of all, is that doable in general and, if yes, any ideas on what's wrong? :)
↧