Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can anyone help me to match a value into lookup.csv if condition

louisawang
New Member
‎02-12-2019 11:28 PM

I have a lookup.csv with all the public holidays in Singapore.

public holiday

I am trying to query if _time=datefield(meaning if today is a public holiday), SLA_DEADLINE +86400(deadline extend by 1 day).
I added a row called test and datefield is today, so by right, if _time =test, it should extend the deadline by 1 day.
This is my code:

    | eval today = strftime(_time,"%Y-%m-%d") 
    | lookup public_holiday.csv Public_Holiday output datefield 
    | rename datefield TO public_holiday 
    | eval SLA_DEADLINE = case((public_holiday==today),SLA_DEADLINE+86400,true(),SLA_DEADLINE)

But it isn't extending by 1 day, can anyone help me?

Preview file
1 KB
0 Karma
Reply

nickhills
Ultra Champion
‎02-13-2019 04:11 AM

Not tested, but this method uses a lookup 'properly'

| eval today = strftime(_time,"%Y-%m-%d") 
| lookup public_holiday.csv datefield as today OUTPUT Public_Holiday
| eval SLA_DEADLINE = if(isnull(Public_Holiday),SAL_DEADLINE,SLA_DEADLINE+86400)
If my comment helps, please give it a thumbs up!
Reply

louisawang
New Member
‎02-13-2019 06:59 PM

Hello, thanks for your reply, do i need to edit anything on the props.conf or transforms.conf?

0 Karma
Reply

louisawang
New Member
‎02-13-2019 07:07 PM

It gave me this error, Error in 'lookup' command: Must specify one or more lookup fields.
What does this error mean? Can you help me? Thank you!

0 Karma
Reply

nickhills
Ultra Champion
‎02-14-2019 12:31 AM

Hello - sorry there was a mistake in my first post. I had got the inputs of the lookup round the wrong way (I was typing on my phone). I have corrected the example above, please give it another go.
No changes to props/trans.

If my comment helps, please give it a thumbs up!
0 Karma
Reply

eduardKiyko
Explorer
‎02-13-2019 03:34 AM

Hi, @louisawang
Try this query:
| inputlookup public_holiday.csv
| eval today = strftime(now(),"%Y-%m-%d")
| eval SLA_DEADLINE = 1
| rename datefield AS public_holiday
| eval SLA_DEADLINE = case((public_holiday==today),SLA_DEADLINE+86400,true(),SLA_DEADLINE)
| table today public_holiday SLA_DEADLINE

I added a couple of rows(third and sixth) for better understanding, in my case it works

0 Karma
Reply

lakshman239
Influencer
‎02-13-2019 03:16 AM

The output needs to be in caps - OUTPUT. Also, you want to input datefield to lookup and output Public_holiday to know if today is a public holiday. You can then change your logic/further checks for SLA.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...