Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Select a column (named as days of the week) and copy over to a new column

rahul0621
Explorer
‎06-23-2020 05:43 PM

Hello,

I have an inputlookup table (test.csv) with a few columns including 7 columns (for 7 days of the week) as shown below.

FILENAMEMondayTuesdayWednesdayThursdayFridaySaturdaySunday
abc12345XX
xyz1123045XX
1231112300405XX

 

I need to pull the column corresponding to the execution day. For example, if i execute it on 6/23/2020 (date being Wednesday), I should get something like this.

FILENAMECount
abc3
xyz30
123300

 

If I run this search on 6/27/2020, being a Saturday, I should get something like this -

FILENAMECount
abcX
xyzX
123X

 

I tried something like this but it isn't working -

| inputlookup test.csv |  eval wkday = strftime(now(),"%A") | eval Count = {wkday}

 

Any help would be greatly appreciated.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-23-2020 06:38 PM

One way

| inputlookup test.csv
| transpose
| eval wkday = strftime(now(),"%A")
| where column="FILENAME" OR column=wkday
| fields - wkday
| transpose header_field=column
| fields - column

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-23-2020 06:38 PM

One way

| inputlookup test.csv
| transpose
| eval wkday = strftime(now(),"%A")
| where column="FILENAME" OR column=wkday
| fields - wkday
| transpose header_field=column
| fields - column
0 Karma
Reply
Solved! Jump to solution

rahul0621
Explorer
‎06-23-2020 07:18 PM

Thanks for your response @bowesmana 

Here's one problem with this solution - the column name will keep on changing (with wkday) but I want the output column name always to be "Count".

Could this be rectified?

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎06-23-2020 09:45 PM

Sure, just add this line after the fields - wkday

| eval column=if(column="FILENAME",column,"Count")

 

0 Karma
Reply
Solved! Jump to solution

rahul0621
Explorer
‎06-24-2020 05:50 AM

I used this instead after fields - wkday:

replace "*day" with Count in column

But your solution worked perfectly for me. Thanks a lot for the help.

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎06-24-2020 03:13 PM

Haha, yes, you will find that for ever task, there are often several solutions. You could also use the eval replace() function. 

Have fun exploring!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...