Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to pass the current date into the outputlookup file name?

mic1024
Path Finder
‎10-29-2014 09:48 AM

Is there a way to pass current date into outputlookup file name?

For instance I created and append my lookup file with LOG_ID=362826361 (this is a search generated by workflow action [when user sees a new event, clicks on it and invokes appending of the lookupfile]):


index=opsmon sourcetype=opsmonitor LOG_ID=362826361 |table LOG_ID |outputlookup append=true ackevents.csv

Then on a dashboard called ACK Events I pass contents of ackevents.csv to display list of events that were acknowledged:

index=opsmon sourcetype=opsmonitor EVENT_MSG=* [|inputlookup ackevents.csv] |stats list(EVENT_MSG) by _time, LOG_LEVEL , APP_DOMAIN,HOST_NAME, LOG_ID | sort - _time

At the same time the original dashboard Excludes the ACK'ed events.

The lookup file however will grow over time, which is something I'd like to avoid - hence generate a new file every day ( by means of creating it with a date in the file name).

Any ideas?

Thanks,

Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-29-2014 10:14 AM

Sure. Define a macro like this:

[today]
definition = strftime(time(), "%Y-%m-%d")
iseval = 1

and use it in your search like this:

... | outputlookup foo_`today`.csv

gives me this output:

Results written to file 'C:\Program Files\Splunk\etc\apps\search\lookups\foo_2014-10-29.csv' on serverName='Martin-PC'

View solution in original post

Reply
Solved! Jump to solution

vnravikumar
Champion
‎02-19-2019 08:41 PM

Hi @vumanhtai

If you try to define a macro using conf file then put the entry macros.conf in the corresponding app folder. Let me know any issues

[today]
definition = strftime(time(), "%Y-%m-%d")
iseval = 1

if you try using UI then it should be

alt text

0 Karma
Reply
Solved! Jump to solution

vumanhtai
Path Finder
‎02-19-2019 08:49 PM

thank you so much

0 Karma
Reply
Solved! Jump to solution

vumanhtai
Path Finder
‎02-19-2019 05:49 PM

Hi all
i added new macros like this :
alt text

but my search : | outputlookup test_today.csv is not working
how do i add the "today" macro to make it work

Preview file
62 KB
0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-29-2014 10:14 AM

Sure. Define a macro like this:

[today]
definition = strftime(time(), "%Y-%m-%d")
iseval = 1

and use it in your search like this:

... | outputlookup foo_`today`.csv

gives me this output:

Results written to file 'C:\Program Files\Splunk\etc\apps\search\lookups\foo_2014-10-29.csv' on serverName='Martin-PC'
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...