Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you perform a search if today is not the date listed in the lookup .csv file

lucy2019
Explorer
‎02-20-2019 01:37 PM

I have lookup file my_dates.csv like this:

mydate, something
1/1/2019, sth1
2/12/2019,sth2
2/20/2019,sth
3/13/2019,sth3

I need to perform a search for if today's date is not the one in my_dates.csv. My search looks like this:

 |bin _time span=1d | search NOT [|inputlook my_dates.csv | eval _time=strptime(mydate, "%m%d%Y") | table _time]

However, this seems to not work. For example, today's date is 2/20/2019. I still got some results back if I run the above search.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-20-2019 09:21 PM

I am by no means validating your particular design here, but the way to make it function is like this:

... | bin _time span=1d | search NOT [|inputlook my_dates.csv | eval time=strptime(mydate, "%m%d%Y") | table time | format | rex field=search mode=sed "s/time/_time/g"]

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-20-2019 09:21 PM

I am by no means validating your particular design here, but the way to make it function is like this:

... | bin _time span=1d | search NOT [|inputlook my_dates.csv | eval time=strptime(mydate, "%m%d%Y") | table time | format | rex field=search mode=sed "s/time/_time/g"]
Reply
Solved! Jump to solution

lucy2019
Explorer
‎02-21-2019 07:27 AM

@woodcock This is awesome! It works perfectly as I need. Can you explain what exactly 'rex field=search mode=sed "s/time/_time/g"' does here? Many thanks!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-21-2019 08:09 AM

Splunk treats fields that start with underscore differently than other fields in that most commands ignore them as though they were invisible, and _time is even more special which has additional peculiarities all its own. Whenever you are debugging a failed subsearch, tack format on to the end of it in a regular search to validate what the subsearch will generate. In this case, it revealed what I expected: _time was (properly) being treated as invisible so your subsearch had nothing in it. So I used time instead, which did generate the expected logic in the search field, but with the wrong field name. I used sed to rename time back to _time.

0 Karma
Reply
Solved! Jump to solution

lucy2019
Explorer
‎02-20-2019 01:40 PM

I had typo in my search, it should be:
index='abcd' string_seach |bin _time span=1d | search NOT [|inputlookup my_dates.csv | eval _time=strptime(mydate, "%m%d%Y") | table _time]

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎02-20-2019 09:49 PM

Need to add the slashes “/“ in your _time strptime eval.

%m%d%Y

Becomes

%m/%d/%Y
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...