Hi Splunk Gurus, 

I am new to lookups and this community has been a great help. I have a few cases where I can't seem to remove rows from a lookup correctly and I can't find a solution for it.

I have a lookup table that is used to list maintenance windows on servers. My CSV lookup has 3 columns CI,  chgreq, mStart, and mstop.

Example: serverA     CHG0001     2023-02-16 00:00     2023-02-17 13:00

I am pulling in emails from an O365 mailbox that allows the adding and clearing of these maintenance windows. Adding new rows to my lookup is working fine but when I try to remove rows I get a blank lookup.

Here is the search I am using:

index="maintenance_emails" Clear Maintenance

| rex field="subject" "Clear Maintenance for (?<server_name>.+)"

| inputlookup append=t maintenance_windows.csv

| where CI!=server_name

| eval CI=server_name, chgreq=chgreq, mStart=mStart, mStop=mStop

| outputlookup maintenance_windows.csv

The server_name field has the correct server name in it and it matches with a CI entry in my lookup. When I run the search I get a blank lookup table. I have done some testing and it looks like my where statement is not working.

I appear to also be having the same issue when trying to remove old maintenance window entries from the same table but using values in the mStop column and comparing them to the current date and time. But this may be a separate issue (i.e. with the date/time format or operation).

| eval cur_time=strftime(now(), "%Y-%m-%d %H:%M")

| inputlookup append=t maintenance_windows.csv

| where mStop<=cur_time

| eval CI=server_name, chgreq=chgreq, mStart=mStart, mStop=mStop

| outputlookup maintenance_windows.csv

Any help would be very appreciated 🙂