Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you perform a search if today is not the date listed in the lookup .csv file

lucy2019
Explorer
‎02-20-2019 01:37 PM

I have lookup file my_dates.csv like this:

mydate, something
1/1/2019, sth1
2/12/2019,sth2
2/20/2019,sth
3/13/2019,sth3

I need to perform a search for if today's date is not the one in my_dates.csv. My search looks like this:

 |bin _time span=1d | search NOT [|inputlook my_dates.csv | eval _time=strptime(mydate, "%m%d%Y") | table _time]

However, this seems to not work. For example, today's date is 2/20/2019. I still got some results back if I run the above search.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-20-2019 09:21 PM

I am by no means validating your particular design here, but the way to make it function is like this:

... | bin _time span=1d | search NOT [|inputlook my_dates.csv | eval time=strptime(mydate, "%m%d%Y") | table time | format | rex field=search mode=sed "s/time/_time/g"]

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-20-2019 09:21 PM

I am by no means validating your particular design here, but the way to make it function is like this:

... | bin _time span=1d | search NOT [|inputlook my_dates.csv | eval time=strptime(mydate, "%m%d%Y") | table time | format | rex field=search mode=sed "s/time/_time/g"]
Reply
Solved! Jump to solution

lucy2019
Explorer
‎02-21-2019 07:27 AM

@woodcock This is awesome! It works perfectly as I need. Can you explain what exactly 'rex field=search mode=sed "s/time/_time/g"' does here? Many thanks!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-21-2019 08:09 AM

Splunk treats fields that start with underscore differently than other fields in that most commands ignore them as though they were invisible, and _time is even more special which has additional peculiarities all its own. Whenever you are debugging a failed subsearch, tack format on to the end of it in a regular search to validate what the subsearch will generate. In this case, it revealed what I expected: _time was (properly) being treated as invisible so your subsearch had nothing in it. So I used time instead, which did generate the expected logic in the search field, but with the wrong field name. I used sed to rename time back to _time.

0 Karma
Reply
Solved! Jump to solution

lucy2019
Explorer
‎02-20-2019 01:40 PM

I had typo in my search, it should be:
index='abcd' string_seach |bin _time span=1d | search NOT [|inputlookup my_dates.csv | eval _time=strptime(mydate, "%m%d%Y") | table _time]

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎02-20-2019 09:49 PM

Need to add the slashes “/“ in your _time strptime eval.

%m%d%Y

Becomes

%m/%d/%Y
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...