Splunk query that uses different lookup table depe...

jwhit · ‎09-07-2016

Is it possible to have a splunk query use a different lookup table for a given day. For instance I want to use the lookup table on monday to cross-refernce with files that are suppose to run on Monday. On tuesday I would like to do the same but use a lookup table that corresponds to the jobs that is suppose to be ran on Tuesday. Can I do this in one search or would it require multiple searches in my dashboard.

vasanthmss · ‎09-07-2016

you can use the same lookup by adding separate column to keep date values as suggested in the above comment. In-case your lookup has more records and still you want to handled by name then you can try something like this,,

| lookup [|stats c | eval l=strftime(now(),"mylookup_%Y_%m_%d.csv")] primary_key OUTPUT field1, field2 ..

here lookup will be like this,

mylookup_2016_09_06.csv 
mylookup_2016_09_07.csv

By changing the date variable you can create your lookup name in sub search and pass ...

hope this will help you.

V

sundareshr · ‎09-07-2016

Why not add a "day" column to your lookup table and have your query match on two fields. ... | eval dow=strftime(now(), "%a") | lookup somefile.csv day AS dow someotherfield AS someotherfield OUTPUT all fields | ...

jwhit · ‎09-08-2016

Thanks I think this will do. Sidenote I have been getting an File not end of line error when trying to upload an excel spreadsheet converted to a CSV. Any suggestion on this?

Splunk query that uses different lookup table depending on the day

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!