Solved: eval strftime to create current_hour (HH:MM) to be...

middlemiddle · ‎05-26-2021

I have a lookup with the files that should be sent each hour (common/flat file names) with the hour as the header, I would like to use an eval to set current hour to use to pull back thresholds in lookup with # of files for that hour:

| eval current_hour=strftime(now(),"%H:00")

Use the above with inputlookup to pull back fields "field file_names 14:00" as an example:

| inputlookup file_monitoring_.csv | fields $current_hour$

lookup is like below:

file_name,00:00,01:00,02:00,03:00,etc...
file001.csv,5,10,15,20,etc....
file002.csv,0,0,0,1,etc....
file007.csv,105,206,409,727,etc....
file009.csv,1,2,3,4,etc....

ITWhisperer · ‎05-26-2021

Try something like this:

| eval current_hour=strftime(now(),"%H:00")
| inputlookup file_monitoring_.csv
| foreach *
  [ eval keep=if("<<FIELD>>"=current_hour,'<<FIELD>>',keep)]
| fields keep

View solution in original post

ITWhisperer · ‎05-26-2021

Try something like this:

| eval current_hour=strftime(now(),"%H:00")
| inputlookup file_monitoring_.csv
| foreach *
  [ eval keep=if("<<FIELD>>"=current_hour,'<<FIELD>>',keep)]
| fields keep

middlemiddle · ‎05-27-2021

Works like a charm, thank you.

eval strftime to create current_hour (HH:MM) to be used with inputlookup fields

eval

fields

lookup

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?