I want to use fields two fields that i have inside the lookup,
Inside my lookup i have "account" and "date"
basically i want to do is to search the account with the date which is greater than today.
here is the csv i created:
if the date format is different on your end, you will have to change the time format in the eval statements. you can find the formats here: https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Commontimeformatvariables
using this search:
| inputlookup accounts.csv | eval new_time = strptime(date, "%m/%d/%Y") | eval c_time=strftime(new_time,"%m/%d/%y %H:%M:%S") | eval now = now() | where new_time > now | table account, c_time
i got this:
you can play with the | where clause as you please to find accounts on a time frame
Hope it helps