Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: lookup files for alert creating
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have 3 lookup files.
I want to take EmpNum from fiel1.csv searching for that in file2.csv to get the email id and generate an email alert to all those emails when todays date is = ActionRequired date. Now its hard coded i want to add one more lookup file dates.csv where i will place these dates. Now how can to write the query to get the date ActionRequired into that variable for comparison.
|inputlookup file1.csv |rename "Employee ID" as EmpNum |search "Enrollment Status"=Enrolled OR "Enrollment Status"="In-Progress" |eval ActionRequired="2018-02-23" | eval today=strftime(now(),"%Y-%m-%d")| where ActionRequired=today |fields "Name" "EmpNum" |lookup file2.csv "Employee ID" as "EmpNum" output "Manager Email" as email "Employee Email" | stats values(EmpNum) as "Employee ID" list(Employee Email) as "Employee Email ID" by email
dates.csv looks like this:
I can use this query to just get the ActionRequired field from this file.
|inputlooku dates.csv |search Description=MPC |field "Action Required"
Help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
okay then try this:
|inputlookup file1.csv |rename "Employee ID" as EmpNum |search "Enrollment Status"=Enrolled OR "Enrollment Status"="In-Progress" |eval Description="MPC" |lookup dates.csv Description OUTPUT ActionRequired|<remaining query>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
okay then try this:
|inputlookup file1.csv |rename "Employee ID" as EmpNum |search "Enrollment Status"=Enrolled OR "Enrollment Status"="In-Progress" |eval Description="MPC" |lookup dates.csv Description OUTPUT ActionRequired|<remaining query>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Somehow ActionRequired is coming as blank 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is there any space between Action and Required in lookup?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes again the culprit double quotes .. Thanks much ...:) working now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is there any common field in file1.csv and dates.csv like field Description
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No common field. thats where am getting confused.
But i can hardcode that value "Description"=MPC
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
