Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me update some field values from a lookup table?

pench2k19
Explorer
‎02-04-2019 04:41 AM

Hi Team,

I have the following field values in a look up file

BUS_DT+1,11:00
BUS_DT+0,12:00

i want to update the field values into my query result. When there is BUS_DT+1 value, it should replace today's date in yyyy-mm-dd format, and when there is BUS_DT+0 value, it should print yesterday's date.

The expected result respectively is 

2019-02-04, 11:00
2019-02-03,12:00

can anyone help on this use case. Thank you in advance

@vnravikumar @jkat54 @woodcock

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vnravikumar
Champion
‎02-04-2019 04:56 AM

Hi @pench2k19

Try this and let me know. I considered two fields in lookup with date and time.

date,time
BUS_DT+1,11:00
BUS_DT+0,12:00


| inputlookup panel.csv 
| eval date1 = case(date="BUS_DT+1",strftime(now(),"%Y-%m-%d").",".time,date="BUS_DT+0",strftime(relative_time(time(), "-d"),"%Y-%m-%d".",".time))

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎02-04-2019 04:59 AM

BUS_DT+1,11:00
BUS_DT+0,12:00

| rex “\+(?<dayCount>\d+)\,(?<hourCount>\d+):(?<minuteCount>\d+)”
| eval _time=case(dayCount==1,now()+86400, dayCount==0,now(),1==1,0)
| eval newTimeStamp=strftime(strptime(_time, “%s),”%y-%m-%d, %H:%M:%S)
0 Karma
Reply
Solved! Jump to solution

pench2k19
Explorer
‎02-04-2019 05:27 AM

the folloiwng giving me error @jkat54

| inputlookup SLA.csv | rex field=SOR_TDQ_FAIL_SLA_THRESHOLD “+(?\d+)\,(?\d+):(?\d+)”
| eval _time=case(dayCount==1,now()+86400, dayCount==0,now(),1==1,0)
| eval newTimeStamp=strftime(strptime(_time, “%s),”%y-%m-%d, %H:%M:%S) |table newTimeStamp

0 Karma
Reply
Solved! Jump to solution
Solution

vnravikumar
Champion
‎02-04-2019 04:56 AM

Hi @pench2k19

Try this and let me know. I considered two fields in lookup with date and time.

date,time
BUS_DT+1,11:00
BUS_DT+0,12:00


| inputlookup panel.csv 
| eval date1 = case(date="BUS_DT+1",strftime(now(),"%Y-%m-%d").",".time,date="BUS_DT+0",strftime(relative_time(time(), "-d"),"%Y-%m-%d".",".time))
0 Karma
Reply
Solved! Jump to solution

pench2k19
Explorer
‎02-04-2019 05:12 AM

@vnravikumar sorry for making you confused..its not two fields , the values belongs to single field

sl_time
BUS_DT+1,11:00
BUS_DT+0,12:00

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎02-04-2019 05:21 AM

Hi @pench2k19

try this

Updated

| inputlookup panel.csv | rex field="sl_time" "(?P<date>.*)\,(?<time>.*)" | eval sl_time = case(date="BUS_DT+1",strftime(now(),"%Y-%m-%d").",".time,date="BUS_DT+0",strftime(relative_time(time(), "-d"),"%Y-%m-%d".",".time))
0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎02-04-2019 05:30 AM

try above query and let me know

0 Karma
Reply
Solved! Jump to solution

pench2k19
Explorer
‎02-04-2019 05:33 AM

this works..thank you

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎02-04-2019 05:45 AM

welcome 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...