Splunk Search

Can anyone help me to match a value into lookup.csv if condition

louisawang
New Member

I have a lookup.csv with all the public holidays in Singapore.

public holiday

I am trying to query if _time=datefield(meaning if today is a public holiday), SLA_DEADLINE +86400(deadline extend by 1 day).
I added a row called test and datefield is today, so by right, if _time =test, it should extend the deadline by 1 day.
This is my code:

    | eval today = strftime(_time,"%Y-%m-%d") 
    | lookup public_holiday.csv Public_Holiday output datefield 
    | rename datefield TO public_holiday 
    | eval SLA_DEADLINE = case((public_holiday==today),SLA_DEADLINE+86400,true(),SLA_DEADLINE)

But it isn't extending by 1 day, can anyone help me?

0 Karma

nickhills
Ultra Champion

Not tested, but this method uses a lookup 'properly'

| eval today = strftime(_time,"%Y-%m-%d") 
| lookup public_holiday.csv datefield as today OUTPUT Public_Holiday
| eval SLA_DEADLINE = if(isnull(Public_Holiday),SAL_DEADLINE,SLA_DEADLINE+86400)
If my comment helps, please give it a thumbs up!

louisawang
New Member

Hello, thanks for your reply, do i need to edit anything on the props.conf or transforms.conf?

0 Karma

louisawang
New Member

It gave me this error, Error in 'lookup' command: Must specify one or more lookup fields.
What does this error mean? Can you help me? Thank you!

0 Karma

nickhills
Ultra Champion

Hello - sorry there was a mistake in my first post. I had got the inputs of the lookup round the wrong way (I was typing on my phone). I have corrected the example above, please give it another go.
No changes to props/trans.

If my comment helps, please give it a thumbs up!
0 Karma

eduardKiyko
Explorer

Hi, @louisawang
Try this query:
| inputlookup public_holiday.csv
| eval today = strftime(now(),"%Y-%m-%d")
| eval SLA_DEADLINE = 1
| rename datefield AS public_holiday
| eval SLA_DEADLINE = case((public_holiday==today),SLA_DEADLINE+86400,true(),SLA_DEADLINE)
| table today public_holiday SLA_DEADLINE

I added a couple of rows(third and sixth) for better understanding, in my case it works

0 Karma

lakshman239
Influencer

The output needs to be in caps - OUTPUT. Also, you want to input datefield to lookup and output Public_holiday to know if today is a public holiday. You can then change your logic/further checks for SLA.

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...