Splunk Search

lookup files for alert creating

surekhasplunk
Communicator

I have 3 lookup files.
I want to take EmpNum from fiel1.csv searching for that in file2.csv to get the email id and generate an email alert to all those emails when todays date is = ActionRequired date. Now its hard coded i want to add one more lookup file dates.csv where i will place these dates. Now how can to write the query to get the date ActionRequired into that variable for comparison.

|inputlookup file1.csv |rename "Employee ID" as EmpNum |search "Enrollment Status"=Enrolled OR "Enrollment Status"="In-Progress" |eval ActionRequired="2018-02-23" | eval today=strftime(now(),"%Y-%m-%d")| where ActionRequired=today |fields "Name" "EmpNum" |lookup file2.csv "Employee ID" as "EmpNum" output "Manager Email" as email "Employee Email" | stats values(EmpNum) as "Employee ID" list(Employee Email) as "Employee Email ID" by email

dates.csv looks like this:
I can use this query to just get the ActionRequired field from this file.
|inputlooku dates.csv |search Description=MPC |field "Action Required"

Help

Tags (2)
0 Karma
1 Solution

493669
Super Champion

okay then try this:

|inputlookup file1.csv |rename "Employee ID" as EmpNum |search "Enrollment Status"=Enrolled OR "Enrollment Status"="In-Progress" |eval Description="MPC" |lookup dates.csv Description OUTPUT ActionRequired|<remaining query>

View solution in original post

0 Karma

493669
Super Champion

okay then try this:

|inputlookup file1.csv |rename "Employee ID" as EmpNum |search "Enrollment Status"=Enrolled OR "Enrollment Status"="In-Progress" |eval Description="MPC" |lookup dates.csv Description OUTPUT ActionRequired|<remaining query>
0 Karma

surekhasplunk
Communicator

Somehow ActionRequired is coming as blank 😞

0 Karma

493669
Super Champion

is there any space between Action and Required in lookup?

0 Karma

surekhasplunk
Communicator

Yes again the culprit double quotes .. Thanks much ...:) working now.

0 Karma

493669
Super Champion

is there any common field in file1.csv and dates.csv like field Description

0 Karma

surekhasplunk
Communicator

No common field. thats where am getting confused.
But i can hardcode that value "Description"=MPC

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...