Splunk Search

Can anyone help me to match a value into lookup.csv if condition

louisawang
New Member

I have a lookup.csv with all the public holidays in Singapore.

public holiday

I am trying to query if _time=datefield(meaning if today is a public holiday), SLA_DEADLINE +86400(deadline extend by 1 day).
I added a row called test and datefield is today, so by right, if _time =test, it should extend the deadline by 1 day.
This is my code:

    | eval today = strftime(_time,"%Y-%m-%d") 
    | lookup public_holiday.csv Public_Holiday output datefield 
    | rename datefield TO public_holiday 
    | eval SLA_DEADLINE = case((public_holiday==today),SLA_DEADLINE+86400,true(),SLA_DEADLINE)

But it isn't extending by 1 day, can anyone help me?

0 Karma

nickhills
Ultra Champion

Not tested, but this method uses a lookup 'properly'

| eval today = strftime(_time,"%Y-%m-%d") 
| lookup public_holiday.csv datefield as today OUTPUT Public_Holiday
| eval SLA_DEADLINE = if(isnull(Public_Holiday),SAL_DEADLINE,SLA_DEADLINE+86400)
If my comment helps, please give it a thumbs up!

louisawang
New Member

Hello, thanks for your reply, do i need to edit anything on the props.conf or transforms.conf?

0 Karma

louisawang
New Member

It gave me this error, Error in 'lookup' command: Must specify one or more lookup fields.
What does this error mean? Can you help me? Thank you!

0 Karma

nickhills
Ultra Champion

Hello - sorry there was a mistake in my first post. I had got the inputs of the lookup round the wrong way (I was typing on my phone). I have corrected the example above, please give it another go.
No changes to props/trans.

If my comment helps, please give it a thumbs up!
0 Karma

eduardKiyko
Explorer

Hi, @louisawang
Try this query:
| inputlookup public_holiday.csv
| eval today = strftime(now(),"%Y-%m-%d")
| eval SLA_DEADLINE = 1
| rename datefield AS public_holiday
| eval SLA_DEADLINE = case((public_holiday==today),SLA_DEADLINE+86400,true(),SLA_DEADLINE)
| table today public_holiday SLA_DEADLINE

I added a couple of rows(third and sixth) for better understanding, in my case it works

0 Karma

lakshman239
Influencer

The output needs to be in caps - OUTPUT. Also, you want to input datefield to lookup and output Public_holiday to know if today is a public holiday. You can then change your logic/further checks for SLA.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...