How to search dynamic field in Splunk?

sbhatnagar88 · ‎03-17-2023

Hi,

I have a lookup table where column names are with weekdays (like monday, tuesday, wednesday,...) and have possible values as 1 and 0 only.

What I want to achieve..

...some query | eval day=strftime(now(),"%A") | where 'day'=1

but this doesn't seems to be working. Any idea how to search dynamic fields.

Thanks

gcusello · ‎03-17-2023

which are the lookup fields?

if they are:

your search must be different:

...some query 
| eval day=strftime(now(),"%A") 
| search [ | inputlookup your_lookup.csv WHERE value="1" | fields day ]
| ...

put attention that the "day" values from the main search and from the lookup are the same.

Ciao.

Giuseppe

sbhatnagar88 · ‎03-17-2023

My search itself begins with searching from KV lookup. and that kv lookup have column name with day name something like

host Type monday tuesday wednesday thursday friday saturday sunday

ABC X 1 1 1 1 1 0 0

DEF Y 0 0 0 0 0 1 1

I am using below query..

| inputlookup test | search type="ABC" | eval day=strftime(now(),"%A") | where 'day'=1

Basically I want to search dynamic day from my lookup.

gcusello · ‎03-17-2023

I don't thing that's possible to have what you would, I think that you should think to a different structure for your lookup, e.g.:

then you could run something like this:

| inputlookup test 
| search host="ABC"  
| search day=strftime(now(),"%A") AND value=1

Ciao.

Giuseppe

Are you a member of the Splunk Community?