Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Select a column (named as days of the week) and copy over to a new column

rahul0621
Explorer
‎06-23-2020 05:43 PM

Hello,

I have an inputlookup table (test.csv) with a few columns including 7 columns (for 7 days of the week) as shown below.

FILENAMEMondayTuesdayWednesdayThursdayFridaySaturdaySunday
abc12345XX
xyz1123045XX
1231112300405XX

 

I need to pull the column corresponding to the execution day. For example, if i execute it on 6/23/2020 (date being Wednesday), I should get something like this.

FILENAMECount
abc3
xyz30
123300

 

If I run this search on 6/27/2020, being a Saturday, I should get something like this -

FILENAMECount
abcX
xyzX
123X

 

I tried something like this but it isn't working -

| inputlookup test.csv |  eval wkday = strftime(now(),"%A") | eval Count = {wkday}

 

Any help would be greatly appreciated.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-23-2020 06:38 PM

One way

| inputlookup test.csv
| transpose
| eval wkday = strftime(now(),"%A")
| where column="FILENAME" OR column=wkday
| fields - wkday
| transpose header_field=column
| fields - column

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-23-2020 06:38 PM

One way

| inputlookup test.csv
| transpose
| eval wkday = strftime(now(),"%A")
| where column="FILENAME" OR column=wkday
| fields - wkday
| transpose header_field=column
| fields - column
0 Karma
Reply
Solved! Jump to solution

rahul0621
Explorer
‎06-23-2020 07:18 PM

Thanks for your response @bowesmana 

Here's one problem with this solution - the column name will keep on changing (with wkday) but I want the output column name always to be "Count".

Could this be rectified?

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎06-23-2020 09:45 PM

Sure, just add this line after the fields - wkday

| eval column=if(column="FILENAME",column,"Count")

 

0 Karma
Reply
Solved! Jump to solution

rahul0621
Explorer
‎06-24-2020 05:50 AM

I used this instead after fields - wkday:

replace "*day" with Count in column

But your solution worked perfectly for me. Thanks a lot for the help.

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎06-24-2020 03:13 PM

Haha, yes, you will find that for ever task, there are often several solutions. You could also use the eval replace() function. 

Have fun exploring!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...