Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Select a column (named as days of the week) and copy over to a new column

rahul0621
Explorer
‎06-23-2020 05:43 PM

Hello,

I have an inputlookup table (test.csv) with a few columns including 7 columns (for 7 days of the week) as shown below.

FILENAMEMondayTuesdayWednesdayThursdayFridaySaturdaySunday
abc12345XX
xyz1123045XX
1231112300405XX

 

I need to pull the column corresponding to the execution day. For example, if i execute it on 6/23/2020 (date being Wednesday), I should get something like this.

FILENAMECount
abc3
xyz30
123300

 

If I run this search on 6/27/2020, being a Saturday, I should get something like this -

FILENAMECount
abcX
xyzX
123X

 

I tried something like this but it isn't working -

| inputlookup test.csv |  eval wkday = strftime(now(),"%A") | eval Count = {wkday}

 

Any help would be greatly appreciated.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-23-2020 06:38 PM

One way

| inputlookup test.csv
| transpose
| eval wkday = strftime(now(),"%A")
| where column="FILENAME" OR column=wkday
| fields - wkday
| transpose header_field=column
| fields - column

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-23-2020 06:38 PM

One way

| inputlookup test.csv
| transpose
| eval wkday = strftime(now(),"%A")
| where column="FILENAME" OR column=wkday
| fields - wkday
| transpose header_field=column
| fields - column
0 Karma
Reply
Solved! Jump to solution

rahul0621
Explorer
‎06-23-2020 07:18 PM

Thanks for your response @bowesmana 

Here's one problem with this solution - the column name will keep on changing (with wkday) but I want the output column name always to be "Count".

Could this be rectified?

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎06-23-2020 09:45 PM

Sure, just add this line after the fields - wkday

| eval column=if(column="FILENAME",column,"Count")

 

0 Karma
Reply
Solved! Jump to solution

rahul0621
Explorer
‎06-24-2020 05:50 AM

I used this instead after fields - wkday:

replace "*day" with Count in column

But your solution worked perfectly for me. Thanks a lot for the help.

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎06-24-2020 03:13 PM

Haha, yes, you will find that for ever task, there are often several solutions. You could also use the eval replace() function. 

Have fun exploring!

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...