Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

eval strftime to create current_hour (HH:MM) to be used with inputlookup fields

middlemiddle
Explorer
‎05-26-2021 12:22 PM

I have a lookup with the files that should be sent each hour (common/flat file names) with the hour as the header, I would like to use an eval to set current hour to use to pull back thresholds in lookup with # of files for that hour:

| eval current_hour=strftime(now(),"%H:00")

Use the above with inputlookup to pull back fields "field file_names 14:00" as an example:

| inputlookup file_monitoring_.csv | fields $current_hour$

lookup is like below:

file_name,00:00,01:00,02:00,03:00,etc...
file001.csv,5,10,15,20,etc....
file002.csv,0,0,0,1,etc....
file007.csv,105,206,409,727,etc....
file009.csv,1,2,3,4,etc....


Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-26-2021 01:59 PM

Try something like this:

| eval current_hour=strftime(now(),"%H:00")
| inputlookup file_monitoring_.csv
| foreach *
  [ eval keep=if("<<FIELD>>"=current_hour,'<<FIELD>>',keep)]
| fields keep

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-26-2021 01:59 PM

Try something like this:

| eval current_hour=strftime(now(),"%H:00")
| inputlookup file_monitoring_.csv
| foreach *
  [ eval keep=if("<<FIELD>>"=current_hour,'<<FIELD>>',keep)]
| fields keep
Reply
Solved! Jump to solution

middlemiddle
Explorer
‎05-27-2021 07:51 AM

Works like a charm, thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...