Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to pass the current date into the outputlookup file name?

mic1024
Path Finder
‎10-29-2014 09:48 AM

Is there a way to pass current date into outputlookup file name?

For instance I created and append my lookup file with LOG_ID=362826361 (this is a search generated by workflow action [when user sees a new event, clicks on it and invokes appending of the lookupfile]):


index=opsmon sourcetype=opsmonitor LOG_ID=362826361 |table LOG_ID |outputlookup append=true ackevents.csv

Then on a dashboard called ACK Events I pass contents of ackevents.csv to display list of events that were acknowledged:

index=opsmon sourcetype=opsmonitor EVENT_MSG=* [|inputlookup ackevents.csv] |stats list(EVENT_MSG) by _time, LOG_LEVEL , APP_DOMAIN,HOST_NAME, LOG_ID | sort - _time

At the same time the original dashboard Excludes the ACK'ed events.

The lookup file however will grow over time, which is something I'd like to avoid - hence generate a new file every day ( by means of creating it with a date in the file name).

Any ideas?

Thanks,

Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-29-2014 10:14 AM

Sure. Define a macro like this:

[today]
definition = strftime(time(), "%Y-%m-%d")
iseval = 1

and use it in your search like this:

... | outputlookup foo_`today`.csv

gives me this output:

Results written to file 'C:\Program Files\Splunk\etc\apps\search\lookups\foo_2014-10-29.csv' on serverName='Martin-PC'

View solution in original post

Reply
Solved! Jump to solution

vnravikumar
Champion
‎02-19-2019 08:41 PM

Hi @vumanhtai

If you try to define a macro using conf file then put the entry macros.conf in the corresponding app folder. Let me know any issues

[today]
definition = strftime(time(), "%Y-%m-%d")
iseval = 1

if you try using UI then it should be

alt text

0 Karma
Reply
Solved! Jump to solution

vumanhtai
Path Finder
‎02-19-2019 08:49 PM

thank you so much

0 Karma
Reply
Solved! Jump to solution

vumanhtai
Path Finder
‎02-19-2019 05:49 PM

Hi all
i added new macros like this :
alt text

but my search : | outputlookup test_today.csv is not working
how do i add the "today" macro to make it work

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-29-2014 10:14 AM

Sure. Define a macro like this:

[today]
definition = strftime(time(), "%Y-%m-%d")
iseval = 1

and use it in your search like this:

... | outputlookup foo_`today`.csv

gives me this output:

Results written to file 'C:\Program Files\Splunk\etc\apps\search\lookups\foo_2014-10-29.csv' on serverName='Martin-PC'
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...