- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MeMilo09
Path Finder
05-24-2021
02:05 PM
Hello There,
I am able to use the | rest command to obtain the date that the lookup was last updated in Splunk. However, I can only seem to do that with one lookup and I am not able to add the other lookups. How can I add more lookups to the | rex command?
Lookups I have to add redSox_Report_.csv, yankees_Report_.csv, dodgers_Report.csv?
I can only add one so far angels_Report_.csv
| rest/servicesNS/-/-/data/lookup-table-files/angels_Report.csv
| eval updated=strptime(updated,"%FT%T%:z")
| eval desired_time=strftime(updated, "%a %m/%d/%Y")
| table desired_time
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MeMilo09
Path Finder
05-24-2021
11:34 PM
I found the solution:
| rest/servicesNS/-/-/data/lookup-table-files search="*_Report.csv"
| eval updated=strptime(updated,"%FT%T%:z")
| eval desired_time=strftime(updated, "%a %m/%d/%Y")
| table desired_time- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MeMilo09
Path Finder
05-24-2021
11:34 PM
I found the solution:
| rest/servicesNS/-/-/data/lookup-table-files search="*_Report.csv"
| eval updated=strptime(updated,"%FT%T%:z")
| eval desired_time=strftime(updated, "%a %m/%d/%Y")
| table desired_time
