Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you perform a search if today is not the date listed in the lookup .csv file

lucy2019
Explorer
‎02-20-2019 01:37 PM

I have lookup file my_dates.csv like this:

mydate, something
1/1/2019, sth1
2/12/2019,sth2
2/20/2019,sth
3/13/2019,sth3

I need to perform a search for if today's date is not the one in my_dates.csv. My search looks like this:

 |bin _time span=1d | search NOT [|inputlook my_dates.csv | eval _time=strptime(mydate, "%m%d%Y") | table _time]

However, this seems to not work. For example, today's date is 2/20/2019. I still got some results back if I run the above search.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-20-2019 09:21 PM

I am by no means validating your particular design here, but the way to make it function is like this:

... | bin _time span=1d | search NOT [|inputlook my_dates.csv | eval time=strptime(mydate, "%m%d%Y") | table time | format | rex field=search mode=sed "s/time/_time/g"]

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-20-2019 09:21 PM

I am by no means validating your particular design here, but the way to make it function is like this:

... | bin _time span=1d | search NOT [|inputlook my_dates.csv | eval time=strptime(mydate, "%m%d%Y") | table time | format | rex field=search mode=sed "s/time/_time/g"]
Reply
Solved! Jump to solution

lucy2019
Explorer
‎02-21-2019 07:27 AM

@woodcock This is awesome! It works perfectly as I need. Can you explain what exactly 'rex field=search mode=sed "s/time/_time/g"' does here? Many thanks!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-21-2019 08:09 AM

Splunk treats fields that start with underscore differently than other fields in that most commands ignore them as though they were invisible, and _time is even more special which has additional peculiarities all its own. Whenever you are debugging a failed subsearch, tack format on to the end of it in a regular search to validate what the subsearch will generate. In this case, it revealed what I expected: _time was (properly) being treated as invisible so your subsearch had nothing in it. So I used time instead, which did generate the expected logic in the search field, but with the wrong field name. I used sed to rename time back to _time.

0 Karma
Reply
Solved! Jump to solution

lucy2019
Explorer
‎02-20-2019 01:40 PM

I had typo in my search, it should be:
index='abcd' string_seach |bin _time span=1d | search NOT [|inputlookup my_dates.csv | eval _time=strptime(mydate, "%m%d%Y") | table _time]

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎02-20-2019 09:49 PM

Need to add the slashes “/“ in your _time strptime eval.

%m%d%Y

Becomes

%m/%d/%Y
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...