I want to use fields two fields that i have inside the lookup,
Inside my lookup i have "account" and "date"
basically i want to do is to search the account with the date which is greater than today.
Hello ocampocliff1,
here is the csv i created:
if the date format is different on your end, you will have to change the time format in the eval statements. you can find the formats here: https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Commontimeformatvariables
using this search:
| inputlookup accounts.csv
| eval new_time = strptime(date, "%m/%d/%Y")
| eval c_time=strftime(new_time,"%m/%d/%y %H:%M:%S")
| eval now = now()
| where new_time > now
| table account, c_time
i got this:
you can play with the | where clause as you please to find accounts on a time frame
Hope it helps
couldn't edit the answer to show screenshots. they are in the answer below
Hi adonio,
Thanks for this one!
I'm using this concept now. 🙂
you are welcome!
if that answers, can you mark as "answered"?
thanks!