https://community.splunk.com/t5/Splunk-Search/Add-quot-Price-quot-field-with-different-values-for-specific/m-p/159435#M44991 <P>Hi,</P> <P>I'm adding a "Price" field to each product in the events. Therefore I'm using a lookup which includes the productname and the price.</P> <P><EM>| lookup Pricelist.csv productname OUTPUT price</EM></P> <P>Is there a way to add different prices for specific timeranges? For Instance, Product A had a price of 5.00 until 24.11.2013, but for events &gt;=25.11.2013 I would like to have a value of 3.00 in all events including product A.</P> <P>Perhaps using a second lookup in combination with something like "if _time&gt;=X lookup Pricelist2.csv productname OUTPUT price"?</P> <P>Thanks in advance</P> Thu, 28 Nov 2013 09:02:44 GMT HeinzWaescher 2013-11-28T09:02:44Z https://community.splunk.com/t5/Splunk-Search/Add-quot-Price-quot-field-with-different-values-for-specific/m-p/159435#M44991 <P>Hi,</P> <P>I'm adding a "Price" field to each product in the events. Therefore I'm using a lookup which includes the productname and the price.</P> <P><EM>| lookup Pricelist.csv productname OUTPUT price</EM></P> <P>Is there a way to add different prices for specific timeranges? For Instance, Product A had a price of 5.00 until 24.11.2013, but for events &gt;=25.11.2013 I would like to have a value of 3.00 in all events including product A.</P> <P>Perhaps using a second lookup in combination with something like "if _time&gt;=X lookup Pricelist2.csv productname OUTPUT price"?</P> <P>Thanks in advance</P> Thu, 28 Nov 2013 09:02:44 GMT https://community.splunk.com/t5/Splunk-Search/Add-quot-Price-quot-field-with-different-values-for-specific/m-p/159435#M44991 HeinzWaescher 2013-11-28T09:02:44Z https://community.splunk.com/t5/Splunk-Search/Add-quot-Price-quot-field-with-different-values-for-specific/m-p/159436#M44992 <P>Hello</P> <P>Probably it would be better to have only one lookup, and include the time, in epoch when the price changed. And then do a eval to see which price should be used</P> <P>Regards</P> Thu, 28 Nov 2013 09:48:05 GMT https://community.splunk.com/t5/Splunk-Search/Add-quot-Price-quot-field-with-different-values-for-specific/m-p/159436#M44992 gfuente 2013-11-28T09:48:05Z https://community.splunk.com/t5/Splunk-Search/Add-quot-Price-quot-field-with-different-values-for-specific/m-p/159437#M44993 <P>Do you mean a lookup like this?</P> <P>productname, price, epochtime<BR /> ProductA, 5.00, 1385251200<BR /> ProductA, 3.00, 1385337600</P> <P>How can I configure the lookup command what price to add to the field with an eval command?</P> Thu, 28 Nov 2013 09:52:01 GMT https://community.splunk.com/t5/Splunk-Search/Add-quot-Price-quot-field-with-different-values-for-specific/m-p/159437#M44993 HeinzWaescher 2013-11-28T09:52:01Z https://community.splunk.com/t5/Splunk-Search/Add-quot-Price-quot-field-with-different-values-for-specific/m-p/159438#M44994 <P>Heinz</P> <P>The Knowledge Manager documentation contains details on setting up a time based lookup. Take a look at <A href="http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Addfieldsfromexternaldatasources#Set_up_a_time-based_fields_lookup">http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Addfieldsfromexternaldatasources#Set_up_a_time-based_fields_lookup</A></P> <P>Dave</P> Thu, 28 Nov 2013 10:05:02 GMT https://community.splunk.com/t5/Splunk-Search/Add-quot-Price-quot-field-with-different-values-for-specific/m-p/159438#M44994 davebrooking 2013-11-28T10:05:02Z https://community.splunk.com/t5/Splunk-Search/Add-quot-Price-quot-field-with-different-values-for-specific/m-p/159439#M44995 <P>thanks for the input, I will keep that in mind. But at the moment I would prefer a fast ( and dirty) solution in the search string... <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 28 Nov 2013 10:37:35 GMT https://community.splunk.com/t5/Splunk-Search/Add-quot-Price-quot-field-with-different-values-for-specific/m-p/159439#M44995 HeinzWaescher 2013-11-28T10:37:35Z https://community.splunk.com/t5/Splunk-Search/Add-quot-Price-quot-field-with-different-values-for-specific/m-p/159440#M44996 <P>Is it possible to use something like this?</P> <P>| eval price=if(timestamp&lt;1385251200, [|lookup pricelist.csv productname OUTPUT price], null())</P> <P>This try returns an error:</P> <P>"Error in 'eval' command: The expression is malformed. An unexpected character is reached at ') , null())'"</P> Thu, 28 Nov 2013 10:47:16 GMT https://community.splunk.com/t5/Splunk-Search/Add-quot-Price-quot-field-with-different-values-for-specific/m-p/159440#M44996 HeinzWaescher 2013-11-28T10:47:16Z https://community.splunk.com/t5/Splunk-Search/Add-quot-Price-quot-field-with-different-values-for-specific/m-p/159441#M44997 <P>you cannot use a lookup in an eval.</P> <P>if you lookup is timebased (fields _time, productname, price)</P> <P><CODE>&lt;mysearchwithfield_timeand_productname&gt; | lookup pricelist.csv _time productname OUTPUT price | table _time productname price</CODE></P> Sat, 30 Nov 2013 16:53:39 GMT https://community.splunk.com/t5/Splunk-Search/Add-quot-Price-quot-field-with-different-values-for-specific/m-p/159441#M44997 yannK 2013-11-30T16:53:39Z