Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

lookup files for alert creating

surekhasplunk
Communicator
‎02-23-2018 03:17 AM

I have 3 lookup files.
I want to take EmpNum from fiel1.csv searching for that in file2.csv to get the email id and generate an email alert to all those emails when todays date is = ActionRequired date. Now its hard coded i want to add one more lookup file dates.csv where i will place these dates. Now how can to write the query to get the date ActionRequired into that variable for comparison.

|inputlookup file1.csv |rename "Employee ID" as EmpNum |search "Enrollment Status"=Enrolled OR "Enrollment Status"="In-Progress" |eval ActionRequired="2018-02-23" | eval today=strftime(now(),"%Y-%m-%d")| where ActionRequired=today |fields "Name" "EmpNum" |lookup file2.csv "Employee ID" as "EmpNum" output "Manager Email" as email "Employee Email" | stats values(EmpNum) as "Employee ID" list(Employee Email) as "Employee Email ID" by email

dates.csv looks like this:
I can use this query to just get the ActionRequired field from this file.
|inputlooku dates.csv |search Description=MPC |field "Action Required"

Help

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎02-23-2018 03:36 AM

okay then try this:

|inputlookup file1.csv |rename "Employee ID" as EmpNum |search "Enrollment Status"=Enrolled OR "Enrollment Status"="In-Progress" |eval Description="MPC" |lookup dates.csv Description OUTPUT ActionRequired|<remaining query>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎02-23-2018 03:36 AM

okay then try this:

|inputlookup file1.csv |rename "Employee ID" as EmpNum |search "Enrollment Status"=Enrolled OR "Enrollment Status"="In-Progress" |eval Description="MPC" |lookup dates.csv Description OUTPUT ActionRequired|<remaining query>
0 Karma
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎02-23-2018 04:01 AM

Somehow ActionRequired is coming as blank 😞

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-23-2018 04:03 AM

is there any space between Action and Required in lookup?

0 Karma
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎02-23-2018 04:08 AM

Yes again the culprit double quotes .. Thanks much ...:) working now.

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-23-2018 03:28 AM

is there any common field in file1.csv and dates.csv like field Description

0 Karma
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎02-23-2018 03:31 AM

No common field. thats where am getting confused.
But i can hardcode that value "Description"=MPC

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...