Re: Search two fields in one csv lookup

ocampocliff1 · ‎03-21-2017

I want to use fields two fields that i have inside the lookup,

Inside my lookup i have "account" and "date"

basically i want to do is to search the account with the date which is greater than today.

adonio · ‎03-22-2017

adonio · ‎03-22-2017

Hello ocampocliff1,
here is the csv i created:

if the date format is different on your end, you will have to change the time format in the eval statements. you can find the formats here: https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Commontimeformatvariables

using this search:

| inputlookup accounts.csv 
 | eval new_time = strptime(date, "%m/%d/%Y") 
 | eval c_time=strftime(new_time,"%m/%d/%y %H:%M:%S") 
 | eval now = now() 
 | where new_time > now 
 | table account, c_time

i got this:

you can play with the | where clause as you please to find accounts on a time frame

Hope it helps

adonio · ‎03-22-2017

couldn't edit the answer to show screenshots. they are in the answer below

ocampocliff1 · ‎03-22-2017

Hi adonio,

Thanks for this one!

I'm using this concept now. 🙂

adonio · ‎03-23-2017

you are welcome!
if that answers, can you mark as "answered"?
thanks!

Search two fields in one csv lookup

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation