topic Re: Searching dynamic field in splunk in Splunk Search

How to search dynamic field in Splunk?

sbhatnagar88 — Fri, 17 Mar 2023 16:10:12 GMT

Hi,

I have a lookup table where column names are with weekdays (like monday, tuesday, wednesday,...) and have possible values as 1 and 0 only.

What I want to achieve..

...some query | eval day=strftime(now(),"%A") | where 'day'=1

but this doesn't seems to be working. Any idea how to search dynamic fields.

Thanks

gcusello — Fri, 17 Mar 2023 08:16:30 GMT

which are the lookup fields?

if they are:

your search must be different:

put attention that the "day" values from the main search and from the lookup are the same.

Ciao.

Giuseppe

sbhatnagar88 — Fri, 17 Mar 2023 08:25:11 GMT

My search itself begins with searching from KV lookup. and that kv lookup have column name with day name something like

host Type monday tuesday wednesday thursday friday saturday sunday

ABC X 1 1 1 1 1 0 0

DEF Y 0 0 0 0 0 1 1

I am using below query..

| inputlookup test | search type="ABC" | eval day=strftime(now(),"%A") | where 'day'=1

Basically I want to search dynamic day from my lookup.

gcusello — Fri, 17 Mar 2023 08:46:36 GMT

I don't thing that's possible to have what you would, I think that you should think to a different structure for your lookup, e.g.:

then you could run something like this:

| inputlookup test | search host="ABC" | search day=strftime(now(),"%A") AND value=1

Ciao.

Giuseppe