Splunk Search

strptime for a existing time field in lookup table and adding new time field (_time) in the same lookup table

esmonder
Path Finder

i have a timefield "date_last" in a lookup table: 2018-03-20T12:25:00.000Z

which i have tried to extract the field using the following(correct me if i'm wrong):

| myinputlookup
| eval my_time = strptime (date_last, "%Y-%m-%FT%H:%M%S.000Z")
| eval _time = my_time

how would I update the lookup table to contain a new field labeled as "_time"

0 Karma
1 Solution

splunker12er
Motivator
 | myinputlookup
 | eval my_time = strptime (date_last, "%Y-%m-%FT%H:%M%S.000Z")
 | eval _time = my_time
 | outputlookup outlookup.csv

View solution in original post

p_gurav
Champion
0 Karma

splunker12er
Motivator
 | myinputlookup
 | eval my_time = strptime (date_last, "%Y-%m-%FT%H:%M%S.000Z")
 | eval _time = my_time
 | outputlookup outlookup.csv

esmonder
Path Finder

any way to update the existing lookup file?

0 Karma

splunker12er
Motivator

give the name as the inputlookup file u can still able to edit it

| inputlookup yourtablename.csv
| eval my_time = strptime (date_last, "%Y-%m-%FT%H:%M%S.000Z")
| eval _time = my_time
| outputlookup yourtablename.csv

0 Karma

esmonder
Path Finder

Thanks it works! 🙂

0 Karma

esmonder
Path Finder

hmm it seems to work on the search app (i see _time in the table), but when i went to review the csv file with the lookup editor app, the table just doubled in size (2x rows, no new columns).
cant seem to update the original csv file.

did more research and came out with this SPL but still didnt seem to work:
| inputlookup append=true test.csv
| appendcols
[| inputlookup append=true test.csv
| eval n = strftime((strptime(date_last, "%Y-%m-%dT%H:%M:%S.000Z")), "%m/%d/%Y %H:%M:%S")
| eval _time = n]
| outputlookup append=true test.csv

0 Karma

splunker12er
Motivator

are you trying to read and write to the same lookup file ?

0 Karma

esmonder
Path Finder

yes i am
/10char

0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...