Re: Search two fields in one csv lookup

ocampocliff1 · ‎03-21-2017

I want to use fields two fields that i have inside the lookup,

Inside my lookup i have "account" and "date"

basically i want to do is to search the account with the date which is greater than today.

adonio · ‎03-22-2017

adonio · ‎03-22-2017

Hello ocampocliff1,
here is the csv i created:

if the date format is different on your end, you will have to change the time format in the eval statements. you can find the formats here: https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Commontimeformatvariables

using this search:

| inputlookup accounts.csv 
 | eval new_time = strptime(date, "%m/%d/%Y") 
 | eval c_time=strftime(new_time,"%m/%d/%y %H:%M:%S") 
 | eval now = now() 
 | where new_time > now 
 | table account, c_time

i got this:

you can play with the | where clause as you please to find accounts on a time frame

Hope it helps

adonio · ‎03-22-2017

couldn't edit the answer to show screenshots. they are in the answer below

ocampocliff1 · ‎03-22-2017

Hi adonio,

Thanks for this one!

I'm using this concept now. 🙂

adonio · ‎03-23-2017

you are welcome!
if that answers, can you mark as "answered"?
thanks!

Search two fields in one csv lookup

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Search two fields in one csv lookup

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR