Splunk Search

Can anyone help me to match a value into lookup.csv if condition

louisawang
New Member

I have a lookup.csv with all the public holidays in Singapore.

public holiday

I am trying to query if _time=datefield(meaning if today is a public holiday), SLA_DEADLINE +86400(deadline extend by 1 day).
I added a row called test and datefield is today, so by right, if _time =test, it should extend the deadline by 1 day.
This is my code:

    | eval today = strftime(_time,"%Y-%m-%d") 
    | lookup public_holiday.csv Public_Holiday output datefield 
    | rename datefield TO public_holiday 
    | eval SLA_DEADLINE = case((public_holiday==today),SLA_DEADLINE+86400,true(),SLA_DEADLINE)

But it isn't extending by 1 day, can anyone help me?

0 Karma

nickhills
Ultra Champion

Not tested, but this method uses a lookup 'properly'

| eval today = strftime(_time,"%Y-%m-%d") 
| lookup public_holiday.csv datefield as today OUTPUT Public_Holiday
| eval SLA_DEADLINE = if(isnull(Public_Holiday),SAL_DEADLINE,SLA_DEADLINE+86400)
If my comment helps, please give it a thumbs up!

louisawang
New Member

Hello, thanks for your reply, do i need to edit anything on the props.conf or transforms.conf?

0 Karma

louisawang
New Member

It gave me this error, Error in 'lookup' command: Must specify one or more lookup fields.
What does this error mean? Can you help me? Thank you!

0 Karma

nickhills
Ultra Champion

Hello - sorry there was a mistake in my first post. I had got the inputs of the lookup round the wrong way (I was typing on my phone). I have corrected the example above, please give it another go.
No changes to props/trans.

If my comment helps, please give it a thumbs up!
0 Karma

eduardKiyko
Explorer

Hi, @louisawang
Try this query:
| inputlookup public_holiday.csv
| eval today = strftime(now(),"%Y-%m-%d")
| eval SLA_DEADLINE = 1
| rename datefield AS public_holiday
| eval SLA_DEADLINE = case((public_holiday==today),SLA_DEADLINE+86400,true(),SLA_DEADLINE)
| table today public_holiday SLA_DEADLINE

I added a couple of rows(third and sixth) for better understanding, in my case it works

0 Karma

lakshman239
SplunkTrust
SplunkTrust

The output needs to be in caps - OUTPUT. Also, you want to input datefield to lookup and output Public_holiday to know if today is a public holiday. You can then change your logic/further checks for SLA.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...