Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search dynamic field in Splunk?

sbhatnagar88
Path Finder
‎03-17-2023 01:10 AM

Hi,

I have a lookup table where column names are with weekdays (like monday, tuesday, wednesday,...) and have possible values as 1 and 0 only.

What I want to achieve..

...some query | eval day=strftime(now(),"%A") | where 'day'=1

but this doesn't seems to be working. Any idea how to search dynamic fields.

 

Thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-17-2023 01:16 AM

Hi @sbhatnagar88,

which are the lookup fields?

if they are:

  • day (like monday, tuesday, wednesday,...)
  • value (0 or 1)

your search must be different:

...some query 
| eval day=strftime(now(),"%A") 
| search [ | inputlookup your_lookup.csv WHERE value="1" | fields day ]
| ...

put attention that the "day" values from the main search and from the lookup are the same.

Ciao.

Giuseppe

0 Karma
Reply

sbhatnagar88
Path Finder
‎03-17-2023 01:25 AM

Hi  @gcusello ,

My search itself begins with searching from KV lookup.  and that kv lookup have column name with day name something like

host    Type  monday  tuesday  wednesday  thursday   friday   saturday  sunday

ABC      X         1                 1                  1                     1                   1                 0              0

DEF       Y          0                0                  0                     0                    0                  1              1

I am using below query..

| inputlookup test | search type="ABC"  | eval day=strftime(now(),"%A")   | where 'day'=1

Basically I want to search dynamic day from my lookup.

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-17-2023 01:46 AM

Hi @sbhatnagar88,

I don't thing that's possible to have what you would, I think that you should think to a different structure for your lookup, e.g.:

  • host,
  • day,
  • value,

then you could run something like this:

| inputlookup test 
| search host="ABC"  
| search day=strftime(now(),"%A") AND value=1

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...