https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-date-from-the-lookup-and-write-new-value/m-p/645889#M223622 <P>Not quite true - you can combine them into a single search using appendpipe - here is a runanywhere example which updates the date if the scores are the same, and returns no results, or returns results if the scores are different without updating the csv</P><LI-CODE lang="markup">| makeresults | eval score=random()%10 | rename score as saved_score, _time as saved_time | append [| inputlookup score.csv] | appendpipe [| stats list(saved_time) as saved_time list(saved_score) as saved_score dc(saved_score) as distinct | foreach saved_* [| eval &lt;&lt;FIELD&gt;&gt;=if(distinct=1, mvindex(&lt;&lt;FIELD&gt;&gt;,0),mvindex(&lt;&lt;FIELD&gt;&gt;,1))] | fields - distinct | outputlookup score.csv | where 1==2 ] | stats values(saved_time) as time values(saved_score) as score range(saved_score) as delta | where delta != 0</LI-CODE> Tue, 06 Jun 2023 10:38:59 GMT ITWhisperer 2023-06-06T10:38:59Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-date-from-the-lookup-and-write-new-value/m-p/645712#M223577 <P>Hello, Splunkers.<BR /><STRONG><BR />Problem Statement:</STRONG><BR />I've searched the data with "date" and "score" to get the latest data and got the result. (Date may or may not be the current time.)</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=sampledata | head 10 | table Date Score | sort -Date| head 1</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Result:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%" height="24px">Date</TD> <TD width="50%" height="24px">Score</TD> </TR> <TR> <TD width="50%" height="24px">2023-02-24</TD> <TD width="50%" height="24px">20</TD> </TR> </TBODY> </TABLE> <P><BR />I have created a lookup table "score.csv" to behave like variables to store data.&nbsp;</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%" height="24px">Saved_Date</TD> <TD width="50%" height="24px">Saved_Score</TD> </TR> <TR> <TD width="50%" height="24px">2023-01-15</TD> <TD width="50%" height="24px">30</TD> </TR> </TBODY> </TABLE> <P><BR />Now, I want to compare something like below</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">| eval current_timestamp=strptime(Date, "%Y-%m-%d") | lookup score.csv Saved_Date &lt;Required Help &gt; | eval saved_timestamp=strptime(Saved_Date, "%Y-%m-%d") | eval new=if(current_timestamp &gt; saved_timestamp, "Yes","No") | where new="Yes" | &lt;want to overwrite with "Date" and "Score" in score.csv&gt;</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 06 Jun 2023 13:12:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-date-from-the-lookup-and-write-new-value/m-p/645712#M223577 zen29d 2023-06-06T13:12:01Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-date-from-the-lookup-and-write-new-value/m-p/645726#M223583 <P>Something like</P><LI-CODE lang="markup">index=sampledata | head 10 | table Date Score | sort -Date| head 1 | rename Date as Saved_Date, Score as Saved_Score | append [| inputlookup score.csv ``` Saved_Date, Saved_Score ``` ] | sort - Saved_Date | head 1 | outputlookup score.csv</LI-CODE> Mon, 05 Jun 2023 08:38:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-date-from-the-lookup-and-write-new-value/m-p/645726#M223583 yuanliu 2023-06-05T08:38:49Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-date-from-the-lookup-and-write-new-value/m-p/645772#M223585 <P>Thanks for the help, I tried and it worked, and thought it will solve the logic however, I think, I messed up more.&nbsp;<BR />The logic goes like this.</P><LI-CODE lang="markup">Current_Date = Date Current_Score = Score Previous_Date = Stored_Date Previous_Score = Stored_Score 1. Read the Current_Date, Current_Score, Previous_Date, Previous_Score. (Solved) 1. Compare the Scores: Delta = Current_Score - Previous_Score. 2. If a change is observed: 0&lt;Delta&gt;0, Generate an Alert. 3. If NOT, evaluate the Current_Date and Current_Score and write back the lookup.</LI-CODE><P><BR /><BR /></P> Mon, 05 Jun 2023 13:08:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-date-from-the-lookup-and-write-new-value/m-p/645772#M223585 zen29d 2023-06-05T13:08:59Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-date-from-the-lookup-and-write-new-value/m-p/645869#M223614 <P>I don't think you can use one command to both do alerting and write back with the logic you just described. &nbsp;So, the two functions have to be in separate searches.</P><P>1. Write-back</P><LI-CODE lang="markup">index=sampledata | head 10 | table Date Score | sort -Date| head 1 | rename Date as Saved_Date, Score as Saved_Score | append [| inputlookup score.csv ``` Saved_Date, Saved_Score ``` ] | stats list(Saved_Date) as Saved_Date list(Saved_Score) as Saved_Score dc(Saved_Score) as distinct | foreach Saved_* [eval &lt;&lt;FIELD&gt;&gt; = if(distinct == 1, mvindex(&lt;&lt;FIELD&gt;&gt;, 0), mvindex(&lt;&lt;FIELD&gt;&gt;, 1)] | outputlookup score.csv</LI-CODE><P>In the above, if the two scores are different, simply write back the values from lookup itself.</P><P>2. Alerting</P><LI-CODE lang="markup">index=sampledata | head 10 | table Date Score | sort -Date| head 1 | append [| inputlookup score.csv ``` Saved_Date, Saved_Score ``` ] | stats values(Date) as Date values(Saved_Date) as Saved_Date values(Score) as Score values(Saved_Score) as Saved_Score | eval Delta = Score - Saved_Score | where Delta != 0</LI-CODE> Tue, 06 Jun 2023 08:15:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-date-from-the-lookup-and-write-new-value/m-p/645869#M223614 yuanliu 2023-06-06T08:15:29Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-date-from-the-lookup-and-write-new-value/m-p/645889#M223622 <P>Not quite true - you can combine them into a single search using appendpipe - here is a runanywhere example which updates the date if the scores are the same, and returns no results, or returns results if the scores are different without updating the csv</P><LI-CODE lang="markup">| makeresults | eval score=random()%10 | rename score as saved_score, _time as saved_time | append [| inputlookup score.csv] | appendpipe [| stats list(saved_time) as saved_time list(saved_score) as saved_score dc(saved_score) as distinct | foreach saved_* [| eval &lt;&lt;FIELD&gt;&gt;=if(distinct=1, mvindex(&lt;&lt;FIELD&gt;&gt;,0),mvindex(&lt;&lt;FIELD&gt;&gt;,1))] | fields - distinct | outputlookup score.csv | where 1==2 ] | stats values(saved_time) as time values(saved_score) as score range(saved_score) as delta | where delta != 0</LI-CODE> Tue, 06 Jun 2023 10:38:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-date-from-the-lookup-and-write-new-value/m-p/645889#M223622 ITWhisperer 2023-06-06T10:38:59Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-date-from-the-lookup-and-write-new-value/m-p/645892#M223624 <P>As an additional hint not directly related to the main issue - it's often better to store the timestamp as a unix timestamp than a string rendition of it. It's easier to manipulate, calculate offsets and so on. You only render it to string when displaying.</P> Tue, 06 Jun 2023 10:51:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-date-from-the-lookup-and-write-new-value/m-p/645892#M223624 PickleRick 2023-06-06T10:51:10Z