Solved: Re: Help for retrieving a lookup date and to displ...

jip31 · ‎10-24-2019

hi

I have a csv file in my lookup folder (host.csv) and I wonder if its possible to retrieve the last modification file of this file and to display it in a panle title?
thanks for your help

arjunpkishore5 · ‎10-24-2019

Not very clear on what exactly you meant by "last modification file".

If you meant just display the latest version for the file, do this

| inputlookup <filename>.csv

If you want the last modified timestamp of the file, use the rest api, use this

| rest /servicesNS/-/-/data/lookup-table-files/<filename>.csv 
| table updated

View solution in original post

woodcock · ‎10-27-2019

If by last modification you mean the current state, then yes, just do this:

| inputlookup YourLookupFileNameHere.csv

If you mean the previous state before the last edit, then this is only possible if you have taken steps to save it before you edit it, or if you are using Lookup File Editor app. If the latter, then there is a Revert to previous version button that allows this.

arjunpkishore5 · ‎10-24-2019

Not very clear on what exactly you meant by "last modification file".

If you meant just display the latest version for the file, do this

| inputlookup <filename>.csv

If you want the last modified timestamp of the file, use the rest api, use this

| rest /servicesNS/-/-/data/lookup-table-files/<filename>.csv 
| table updated

nehamvinchankar · ‎02-23-2024

Can you use above rest query for kv store lookup also?

jip31 · ‎10-25-2019

Hi
I want to retrieve the last modification date like when you do "right click" and "properties" on a file
I dont understand your answer
what do you mean by "| inputlookup .csv"??

arjunpkishore5 · ‎10-25-2019

Please mark as answer if this answers your query

jip31 · ‎10-27-2019

hello
The API works but how to format the updated field??
| rest/servicesNS/-/-/data/lookup-table-files/host.csv
| eval updated = strftime(updated, "%d-%m-%y %H:%M")
| table updated

arjunpkishore5 · ‎10-27-2019

| eval updated=strptime(updated,"%FT%T%:z")

strftime converts unix timestamp(number) to string
strptime converts string to unix timestamp

jip31 · ‎10-27-2019

hummm, issue, there is no results when I add your eval...

arjunpkishore5 · ‎10-28-2019

I would guess the time format is different in your Splunk setup. Can you post a sample time without the eval?

jip31 · ‎10-28-2019

here is
1970-01-01T01:00:00+01:00

arjunpkishore5 · ‎10-28-2019

The earliest data strptime can work with is January 1 1971. Try using a more recent date.
https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/DateandTimeFunctions

arjunpkishore5 · ‎10-25-2019

Inputlookup displays the contents of your csv file in a table.

For your use case, use the rest command I pasted in the answer

Help for retrieving a lookup date and to display it in a dashboard

Data Persistence in the OpenTelemetry Collector

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Community Content Calendar, September edition

Are you a member of the Splunk Community?

Help for retrieving a lookup date and to display it in a dashboard

Data Persistence in the OpenTelemetry Collector

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Community Content Calendar, September edition