Splunk Search

Field names in lookup search do not match field names in csv

sc0tt
Builder

I have a lookup file that is recreated daily and the last field is the current date.

item id 2015-03-08
item1 1
item2 2
item3 3

When doing a lookup the date field name does not match the current date value in the csv. It is an older date.

Example :
| inputlookup my_lookup

item id 2015-02-28
item1 1
item2 2
item3 3

Previously, I would get whatever date field was in the csv. When I check the lookup definitions the supported fields are listed as item, id, 2015-02-28. How can I have Splunk return the current date field name in the csv and not the old field name?

Tags (2)
0 Karma
1 Solution

sc0tt
Builder

I agree that having a date field with date value would be ideal, but this is how the file is currently provided. After further investigation, it seems that Splunk was moved to a new directory on the server because of space constraints and the path was set to the old directory. Thanks for your help anyways!

View solution in original post

0 Karma

sc0tt
Builder

I agree that having a date field with date value would be ideal, but this is how the file is currently provided. After further investigation, it seems that Splunk was moved to a new directory on the server because of space constraints and the path was set to the old directory. Thanks for your help anyways!

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Have you considered adding a field date that has the date as a value? Should be much easier to work with later if the field name doesn't change all the time. Also, having the minus operator in a field name can lead to unexpected results.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...