Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to pass the current date into the outputlookup file name?

mic1024
Path Finder
‎10-29-2014 09:48 AM

Is there a way to pass current date into outputlookup file name?

For instance I created and append my lookup file with LOG_ID=362826361 (this is a search generated by workflow action [when user sees a new event, clicks on it and invokes appending of the lookupfile]):


index=opsmon sourcetype=opsmonitor LOG_ID=362826361 |table LOG_ID |outputlookup append=true ackevents.csv

Then on a dashboard called ACK Events I pass contents of ackevents.csv to display list of events that were acknowledged:

index=opsmon sourcetype=opsmonitor EVENT_MSG=* [|inputlookup ackevents.csv] |stats list(EVENT_MSG) by _time, LOG_LEVEL , APP_DOMAIN,HOST_NAME, LOG_ID | sort - _time

At the same time the original dashboard Excludes the ACK'ed events.

The lookup file however will grow over time, which is something I'd like to avoid - hence generate a new file every day ( by means of creating it with a date in the file name).

Any ideas?

Thanks,

Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-29-2014 10:14 AM

Sure. Define a macro like this:

[today]
definition = strftime(time(), "%Y-%m-%d")
iseval = 1

and use it in your search like this:

... | outputlookup foo_`today`.csv

gives me this output:

Results written to file 'C:\Program Files\Splunk\etc\apps\search\lookups\foo_2014-10-29.csv' on serverName='Martin-PC'

View solution in original post

Reply
Solved! Jump to solution

vnravikumar
Champion
‎02-19-2019 08:41 PM

Hi @vumanhtai

If you try to define a macro using conf file then put the entry macros.conf in the corresponding app folder. Let me know any issues

[today]
definition = strftime(time(), "%Y-%m-%d")
iseval = 1

if you try using UI then it should be

alt text

0 Karma
Reply
Solved! Jump to solution

vumanhtai
Path Finder
‎02-19-2019 08:49 PM

thank you so much

0 Karma
Reply
Solved! Jump to solution

vumanhtai
Path Finder
‎02-19-2019 05:49 PM

Hi all
i added new macros like this :
alt text

but my search : | outputlookup test_today.csv is not working
how do i add the "today" macro to make it work

splunk.png
Preview file
62 KB
0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-29-2014 10:14 AM

Sure. Define a macro like this:

[today]
definition = strftime(time(), "%Y-%m-%d")
iseval = 1

and use it in your search like this:

... | outputlookup foo_`today`.csv

gives me this output:

Results written to file 'C:\Program Files\Splunk\etc\apps\search\lookups\foo_2014-10-29.csv' on serverName='Martin-PC'
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
li.common.scroll-to.top