Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me update some field values from a lookup table?

pench2k19
Explorer
‎02-04-2019 04:41 AM

Hi Team,

I have the following field values in a look up file

BUS_DT+1,11:00
BUS_DT+0,12:00

i want to update the field values into my query result. When there is BUS_DT+1 value, it should replace today's date in yyyy-mm-dd format, and when there is BUS_DT+0 value, it should print yesterday's date.

The expected result respectively is 

2019-02-04, 11:00
2019-02-03,12:00

can anyone help on this use case. Thank you in advance

@vnravikumar @jkat54 @woodcock

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vnravikumar
Champion
‎02-04-2019 04:56 AM

Hi @pench2k19

Try this and let me know. I considered two fields in lookup with date and time.

date,time
BUS_DT+1,11:00
BUS_DT+0,12:00


| inputlookup panel.csv 
| eval date1 = case(date="BUS_DT+1",strftime(now(),"%Y-%m-%d").",".time,date="BUS_DT+0",strftime(relative_time(time(), "-d"),"%Y-%m-%d".",".time))

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎02-04-2019 04:59 AM

BUS_DT+1,11:00
BUS_DT+0,12:00

| rex “\+(?<dayCount>\d+)\,(?<hourCount>\d+):(?<minuteCount>\d+)”
| eval _time=case(dayCount==1,now()+86400, dayCount==0,now(),1==1,0)
| eval newTimeStamp=strftime(strptime(_time, “%s),”%y-%m-%d, %H:%M:%S)
0 Karma
Reply
Solved! Jump to solution

pench2k19
Explorer
‎02-04-2019 05:27 AM

the folloiwng giving me error @jkat54

| inputlookup SLA.csv | rex field=SOR_TDQ_FAIL_SLA_THRESHOLD “+(?\d+)\,(?\d+):(?\d+)”
| eval _time=case(dayCount==1,now()+86400, dayCount==0,now(),1==1,0)
| eval newTimeStamp=strftime(strptime(_time, “%s),”%y-%m-%d, %H:%M:%S) |table newTimeStamp

0 Karma
Reply
Solved! Jump to solution
Solution

vnravikumar
Champion
‎02-04-2019 04:56 AM

Hi @pench2k19

Try this and let me know. I considered two fields in lookup with date and time.

date,time
BUS_DT+1,11:00
BUS_DT+0,12:00


| inputlookup panel.csv 
| eval date1 = case(date="BUS_DT+1",strftime(now(),"%Y-%m-%d").",".time,date="BUS_DT+0",strftime(relative_time(time(), "-d"),"%Y-%m-%d".",".time))
0 Karma
Reply
Solved! Jump to solution

pench2k19
Explorer
‎02-04-2019 05:12 AM

@vnravikumar sorry for making you confused..its not two fields , the values belongs to single field

sl_time
BUS_DT+1,11:00
BUS_DT+0,12:00

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎02-04-2019 05:21 AM

Hi @pench2k19

try this

Updated

| inputlookup panel.csv | rex field="sl_time" "(?P<date>.*)\,(?<time>.*)" | eval sl_time = case(date="BUS_DT+1",strftime(now(),"%Y-%m-%d").",".time,date="BUS_DT+0",strftime(relative_time(time(), "-d"),"%Y-%m-%d".",".time))
0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎02-04-2019 05:30 AM

try above query and let me know

0 Karma
Reply
Solved! Jump to solution

pench2k19
Explorer
‎02-04-2019 05:33 AM

this works..thank you

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎02-04-2019 05:45 AM

welcome 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...