Archive
Highlighted

Search two fields in one csv lookup

Engager

I want to use fields two fields that i have inside the lookup,

Inside my lookup i have "account" and "date"

basically i want to do is to search the account with the date which is greater than today.

Tags (1)
0 Karma
Highlighted

Re: Search two fields in one csv lookup

SplunkTrust
SplunkTrust

Hello ocampocliff1,
here is the csv i created:
alt text

if the date format is different on your end, you will have to change the time format in the eval statements. you can find the formats here: https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Commontimeformatvariables

using this search:

| inputlookup accounts.csv 
 | eval new_time = strptime(date, "%m/%d/%Y") 
 | eval c_time=strftime(new_time,"%m/%d/%y %H:%M:%S") 
 | eval now = now() 
 | where new_time > now 
 | table account, c_time 

i got this:

alt text

you can play with the | where clause as you please to find accounts on a time frame

Hope it helps

Highlighted

Re: Search two fields in one csv lookup

SplunkTrust
SplunkTrust

couldn't edit the answer to show screenshots. they are in the answer below

0 Karma
Highlighted

Re: Search two fields in one csv lookup

Engager

Hi adonio,

Thanks for this one!

I'm using this concept now. 🙂

0 Karma
Highlighted

Re: Search two fields in one csv lookup

SplunkTrust
SplunkTrust

you are welcome!
if that answers, can you mark as "answered"?
thanks!

0 Karma
Highlighted

Re: Search two fields in one csv lookup

SplunkTrust
SplunkTrust
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.