Splunk Search

Can anyone help me to match a value into lookup.csv if condition

louisawang
New Member

I have a lookup.csv with all the public holidays in Singapore.

public holiday

I am trying to query if _time=datefield(meaning if today is a public holiday), SLA_DEADLINE +86400(deadline extend by 1 day).
I added a row called test and datefield is today, so by right, if _time =test, it should extend the deadline by 1 day.
This is my code:

    | eval today = strftime(_time,"%Y-%m-%d") 
    | lookup public_holiday.csv Public_Holiday output datefield 
    | rename datefield TO public_holiday 
    | eval SLA_DEADLINE = case((public_holiday==today),SLA_DEADLINE+86400,true(),SLA_DEADLINE)

But it isn't extending by 1 day, can anyone help me?

0 Karma

nickhills
Ultra Champion

Not tested, but this method uses a lookup 'properly'

| eval today = strftime(_time,"%Y-%m-%d") 
| lookup public_holiday.csv datefield as today OUTPUT Public_Holiday
| eval SLA_DEADLINE = if(isnull(Public_Holiday),SAL_DEADLINE,SLA_DEADLINE+86400)
If my comment helps, please give it a thumbs up!

louisawang
New Member

Hello, thanks for your reply, do i need to edit anything on the props.conf or transforms.conf?

0 Karma

louisawang
New Member

It gave me this error, Error in 'lookup' command: Must specify one or more lookup fields.
What does this error mean? Can you help me? Thank you!

0 Karma

nickhills
Ultra Champion

Hello - sorry there was a mistake in my first post. I had got the inputs of the lookup round the wrong way (I was typing on my phone). I have corrected the example above, please give it another go.
No changes to props/trans.

If my comment helps, please give it a thumbs up!
0 Karma

eduardKiyko
Explorer

Hi, @louisawang
Try this query:
| inputlookup public_holiday.csv
| eval today = strftime(now(),"%Y-%m-%d")
| eval SLA_DEADLINE = 1
| rename datefield AS public_holiday
| eval SLA_DEADLINE = case((public_holiday==today),SLA_DEADLINE+86400,true(),SLA_DEADLINE)
| table today public_holiday SLA_DEADLINE

I added a couple of rows(third and sixth) for better understanding, in my case it works

0 Karma

lakshman239
Influencer

The output needs to be in caps - OUTPUT. Also, you want to input datefield to lookup and output Public_holiday to know if today is a public holiday. You can then change your logic/further checks for SLA.

0 Karma
Get Updates on the Splunk Community!

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

[Coming Soon] Splunk Observability Cloud - Enhanced navigation with a modern look and ...

We are excited to introduce our enhanced UI that brings together AppDynamics and Splunk Observability. This is ...