i have a timefield "date_last" in a lookup table: 2018-03-20T12:25:00.000Z
which i have tried to extract the field using the following(correct me if i'm wrong):
| myinputlookup | eval my_time = strptime (date_last, "%Y-%m-%FT%H:%M%S.000Z") | eval _time = my_time
how would I update the lookup table to contain a new field labeled as "_time"
give the name as the inputlookup file u can still able to edit it
| inputlookup yourtablename.csv
| eval my_time = strptime (date_last, "%Y-%m-%FT%H:%M%S.000Z")
| eval _time = my_time
| outputlookup yourtablename.csv
hmm it seems to work on the search app (i see _time in the table), but when i went to review the csv file with the lookup editor app, the table just doubled in size (2x rows, no new columns).
cant seem to update the original csv file.
did more research and came out with this SPL but still didnt seem to work:
| inputlookup append=true test.csv
[| inputlookup append=true test.csv
| eval n = strftime((strptime(date_last, "%Y-%m-%dT%H:%M:%S.000Z")), "%m/%d/%Y %H:%M:%S")
| eval _time = n]
| outputlookup append=true test.csv