- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Add "Price" field with different values for specif...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add "Price" field with different values for specific timeranges
Hi,
I'm adding a "Price" field to each product in the events. Therefore I'm using a lookup which includes the productname and the price.
| lookup Pricelist.csv productname OUTPUT price
Is there a way to add different prices for specific timeranges? For Instance, Product A had a price of 5.00 until 24.11.2013, but for events >=25.11.2013 I would like to have a value of 3.00 in all events including product A.
Perhaps using a second lookup in combination with something like "if _time>=X lookup Pricelist2.csv productname OUTPUT price"?
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
Probably it would be better to have only one lookup, and include the time, in epoch when the price changed. And then do a eval to see which price should be used
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you cannot use a lookup in an eval.
if you lookup is timebased (fields _time, productname, price)
<mysearchwithfield_timeand_productname> | lookup pricelist.csv _time productname OUTPUT price | table _time productname price
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to use something like this?
| eval price=if(timestamp<1385251200, [|lookup pricelist.csv productname OUTPUT price], null())
This try returns an error:
"Error in 'eval' command: The expression is malformed. An unexpected character is reached at ') , null())'"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for the input, I will keep that in mind. But at the moment I would prefer a fast ( and dirty) solution in the search string... 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Heinz
The Knowledge Manager documentation contains details on setting up a time based lookup. Take a look at http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Addfieldsfromexternaldatasources#Set_up_a_...
Dave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you mean a lookup like this?
productname, price, epochtime
ProductA, 5.00, 1385251200
ProductA, 3.00, 1385337600
How can I configure the lookup command what price to add to the field with an eval command?
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
