Is it possible to have a splunk query use a different lookup table for a given day. For instance I want to use the lookup table on monday to cross-refernce with files that are suppose to run on Monday. On tuesday I would like to do the same but use a lookup table that corresponds to the jobs that is suppose to be ran on Tuesday. Can I do this in one search or would it require multiple searches in my dashboard.
you can use the same lookup by adding separate column to keep date values as suggested in the above comment. In-case your lookup has more records and still you want to handled by name then you can try something like this,,
| lookup [|stats c | eval l=strftime(now(),"mylookup_%Y_%m_%d.csv")] primary_key OUTPUT field1, field2 ..
here lookup will be like this,
mylookup_2016_09_06.csv
mylookup_2016_09_07.csv
By changing the date variable you can create your lookup name in sub search and pass ...
hope this will help you.
Why not add a "day" column to your lookup table and have your query match on two fields. ... | eval dow=strftime(now(), "%a") | lookup somefile.csv day AS dow someotherfield AS someotherfield OUTPUT all fields | ...
Thanks I think this will do. Sidenote I have been getting an File not end of line error when trying to upload an excel spreadsheet converted to a CSV. Any suggestion on this?