Search two fields in one csv lookup

ocampocliff1 · ‎03-21-2017

I want to use fields two fields that i have inside the lookup,

Inside my lookup i have "account" and "date"

basically i want to do is to search the account with the date which is greater than today.

adonio · ‎03-22-2017

adonio · ‎03-22-2017

Hello ocampocliff1,
here is the csv i created:

if the date format is different on your end, you will have to change the time format in the eval statements. you can find the formats here: https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Commontimeformatvariables

using this search:

| inputlookup accounts.csv 
 | eval new_time = strptime(date, "%m/%d/%Y") 
 | eval c_time=strftime(new_time,"%m/%d/%y %H:%M:%S") 
 | eval now = now() 
 | where new_time > now 
 | table account, c_time

i got this:

you can play with the | where clause as you please to find accounts on a time frame

Hope it helps

adonio · ‎03-22-2017

couldn't edit the answer to show screenshots. they are in the answer below

ocampocliff1 · ‎03-22-2017

Hi adonio,

Thanks for this one!

I'm using this concept now. 🙂

adonio · ‎03-23-2017

you are welcome!
if that answers, can you mark as "answered"?
thanks!

Search two fields in one csv lookup

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Search two fields in one csv lookup

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases