×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
chorn3567
Engager
Member since: ‎06-26-2024
‎07-10-2024
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-26-2024
View All

Help refining .csv lookup evals, data not outputti...

by in Splunk Search
‎07-10-2024 12:06 PM
‎07-10-2024 12:06 PM
hi!  Working on adding a holiday table as a lookup to reference for alerts based on volume and want to alert on different thresholds if its a holiday. the referenced search is showing data for 7/10 as nonHoliday, even though for a test, i have it listed as a holiday in the lookup file.  its a .csv, so no initial formatting seems to be passing thru the file, need to format the holidayDate column in mm/dd/yyyy       index=my_index | eval eventDate=strftime(_time, "%m/%d/%Y") | lookup holidayLookup.csv holidayDate as eventDate OUTPUT holidayDate | eval dateLookup = strftime(holidayDate, "%m/%d/%Y") | eval holidayCheck=if(eventDate == dateLookup, "holiday", "nonHoliday") | fields eventDate holidayCheck | where holidayCheck="nonHoliday"       screen shot shows its captured the event date as expected and is outputting a value for holidayCheck, but, based on the data file its referencing, it should show as Holiday.  data structure holidayDate holidayName 07/10/2024 Testing Day 07/04/2024 Independence Day   ... View more
Labels

Re: New User Looking for help comparing values

by in Splunk Search
‎06-27-2024 06:09 AM
‎06-27-2024 06:09 AM
simple as that, thank you! worked for me.  ... View more

Re: New User Looking for help comparing values

by in Splunk Search
‎06-26-2024 11:22 AM
‎06-26-2024 11:22 AM
updated post, thank you for the tip!    ... View more

New User Looking for help comparing values

by in Splunk Search
‎06-26-2024 11:04 AM
‎06-26-2024 11:04 AM
Hi All! First post, super new user to Splunk.  Have a search that i modified from a one a team member previously created, im trying to take the output of ClientVersion and compare the 6wkAvg count to the Today count for same timespan and see what the percentage -/+ is. Ultimately building towards alerting when below a certain threshold.  | fields _time ClientVersion | eval DoW=strftime(_time, "%A") | eval TodayDoW=strftime(now(), "%A") | where DoW=TodayDoW | search ClientVersion=FAPI* | eval ClientVersion=if((like("ClientVersion=FAPI*","%OR%") OR false()) AND false(), "Combined", ClientVersion) | bin _time span=5m | eval tempTime=strftime(_time,"%m/%d") | where (tempTime!="null") | eval tempTime=if(true() AND _time < relative_time(now(), "@d"), "6wkAvg", "Today") | stats count by ClientVersion _time tempTime | eval _time=round(strptime(strftime(now(),"%Y-%m-%d").strftime(_time,"%H:%M:%S"),"%Y-%m-%d%H:%M:%S"),0) | stats avg(count) as count by ClientVersion _time tempTime | eval ClientVersion=ClientVersion."-".tempTime | eval count=round(count,0)   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-10-2024 06:10 PM