Hello,
I am looking for some guidance please with regards to a CSV input I have that is automatically updated daily as part of the TA.
I want to be able to extract data when a row has been updated within the last 24 hours.
The CSV for example has the following columns
title, category, published_datetime
I want to see the other values in the row when published_datetime is less than 24 hours, in UTC format.
Thank you
Something like this:
| inputlookup <lookup-name>
| eval pubtime=strptime(published_datetime, "%Y-%m-%d %H:%M:%S")
| where pubtime>relative_time(now(), "-24h@m")
You might have to change the format of datetime inside strptime function based on the values in your lookup. - https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Commontimeformatvariables
Something like this:
| inputlookup <lookup-name>
| eval pubtime=strptime(published_datetime, "%Y-%m-%d %H:%M:%S")
| where pubtime>relative_time(now(), "-24h@m")
You might have to change the format of datetime inside strptime function based on the values in your lookup. - https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Commontimeformatvariables
Thank you, just had to amend the date format as you suggested.
Use inputlookup to load the csv into the event stream, convert the published_datetime to a numeric epoch value using strptime(), then use a where command to compare published_datetime with now()-(24*60*60) and keep events where published datetime is greater than 24 hours ago