Hi,
I have a lookup file as below.
Fileid earliest latest
abc 01 03
bcd 02 05
Now the alert(that runs for every hour)that am going to set should look at this lookup file,if the current time (earliest and latest time) matches with any one in the lookup file,the corresponding Fileid should be the outputted and the alert should also lookout out for that Fileid with the time range as mentioned in the lookup file
please advice me how to achieve this
| inputlookup lookupfile
| eval hour_now=floor(now()/(60*60))%24
| where hour_now >= earliest AND hour_now <= latest
Thank you @ITWhisperer
Now i should be performing a search with corresponding FileId in that timeframe (as in the lookup).
how would i be doing it
search [| inputlookup lookupfile
| eval hour_now=floor(now()/(60*60))%24
| where hour_now >= earliest AND hour_now <= latest
| dedup FileId]
Thanks again @ITWhisperer for the response.
my ask is that,how do i run that search for the time specified in the lookup file.
if a fileid is to be searched with the earliest time 2 am and latest time 4 am,how do i include that in query
Assuming FileId is a field already extracted, try something like this:
search [| inputlookup lookupfile
| eval hour_now=floor(now()/(60*60))%24
| where hour_now >= earliest AND hour_now <= latest
| eval earliest=relative_time(now(),"@d+".earliest."h")
| eval latest=relative_time(now(),"@d+".latest."h")
| table earliest latest FileId]
in the below query when i embrace the inputlookup inside a square bracket Im not getting results..
my search has to be like below
index=abc sourcetype=bcd earliest=<earliest time that i get from lookup> latest=<latest time that i get from lookup> “<Fieldid that i get from lookup”
Can this be achieved without the help of a lookup file?
You could "hard code" the contents of the lookup file into your search using the makeresults command.
Hi @ITWhisperer
in the query given when i embrace the inputlookup inside a square bracket Im not getting results..
my search has to be like below
index=abc sourcetype=bcd earliest=<earliest time that i get from lookup> latest=<latest time that i get from lookup> “<Fieldid that i get from lookup>”
Do you mean FieldId or FileId?
Please can you share the search you are using (with the the brackets) which is not working?
My actual search is this
index=abc sourcetype=cbd <search_string> earliest=<some_time> latest=<some_time>
the search_string,earliest and latest has to be taken from the lookup file
the lookup file will have file_id,earliest and latest time in it
the search should run everyhour
if the current time matches with the latest in the lookup,then the corresponding latest,earliest and file_id has to be picked up and given to the above query
You said when you use the brackets it doesn't work. Can you share that search please?
yes..
index=sswer sourcetype=abcdr [|inputlookup lookup_test.csv |eval hour_now = (floor(now()/(60*60))%24-6) |where Earliest <= hour_now AND Latest >= hour_now |table hour_now Earliest Latest ReportsName]
This is the search query that I used
My actual query should like this.
index=sswer sourcetype=abcdr "ReportsName" earliest=Earliest latest=Latest
where ReportsName,Earliest & Latest values has to be picked from the lookup file