Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Add "Price" field with different values for specific timeranges

HeinzWaescher
Motivator
‎11-28-2013 01:02 AM

Hi,

I'm adding a "Price" field to each product in the events. Therefore I'm using a lookup which includes the productname and the price.

| lookup Pricelist.csv productname OUTPUT price

Is there a way to add different prices for specific timeranges? For Instance, Product A had a price of 5.00 until 24.11.2013, but for events >=25.11.2013 I would like to have a value of 3.00 in all events including product A.

Perhaps using a second lookup in combination with something like "if _time>=X lookup Pricelist2.csv productname OUTPUT price"?

Thanks in advance

Tags (3)
0 Karma
Reply

gfuente
Motivator
‎11-28-2013 01:48 AM

Hello

Probably it would be better to have only one lookup, and include the time, in epoch when the price changed. And then do a eval to see which price should be used

Regards

Reply

yannK
Splunk Employee
Splunk Employee
‎11-30-2013 08:53 AM

you cannot use a lookup in an eval.

if you lookup is timebased (fields _time, productname, price)

<mysearchwithfield_timeand_productname> | lookup pricelist.csv _time productname OUTPUT price | table _time productname price

0 Karma
Reply

HeinzWaescher
Motivator
‎11-28-2013 02:47 AM

Is it possible to use something like this?

| eval price=if(timestamp<1385251200, [|lookup pricelist.csv productname OUTPUT price], null())

This try returns an error:

"Error in 'eval' command: The expression is malformed. An unexpected character is reached at ') , null())'"

0 Karma
Reply

HeinzWaescher
Motivator
‎11-28-2013 02:37 AM

thanks for the input, I will keep that in mind. But at the moment I would prefer a fast ( and dirty) solution in the search string... 😉

0 Karma
Reply

davebrooking
Contributor
‎11-28-2013 02:05 AM

Heinz

The Knowledge Manager documentation contains details on setting up a time based lookup. Take a look at http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Addfieldsfromexternaldatasources#Set_up_a_...

Dave

Reply

HeinzWaescher
Motivator
‎11-28-2013 01:52 AM

Do you mean a lookup like this?

productname, price, epochtime
ProductA, 5.00, 1385251200
ProductA, 3.00, 1385337600

How can I configure the lookup command what price to add to the field with an eval command?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...