Solved: strptime for a existing time field in lookup table...

esmonder · ‎04-01-2018

i have a timefield "date_last" in a lookup table: 2018-03-20T12:25:00.000Z

which i have tried to extract the field using the following(correct me if i'm wrong):

| myinputlookup
| eval my_time = strptime (date_last, "%Y-%m-%FT%H:%M%S.000Z")
| eval _time = my_time

how would I update the lookup table to contain a new field labeled as "_time"

splunker12er · ‎04-02-2018

 | myinputlookup
 | eval my_time = strptime (date_last, "%Y-%m-%FT%H:%M%S.000Z")
 | eval _time = my_time
 | outputlookup outlookup.csv

View solution in original post

p_gurav · ‎04-02-2018

This may be help you:

https://answers.splunk.com/answers/387428/how-to-update-a-lookup-table.html

splunker12er · ‎04-02-2018

 | myinputlookup
 | eval my_time = strptime (date_last, "%Y-%m-%FT%H:%M%S.000Z")
 | eval _time = my_time
 | outputlookup outlookup.csv

esmonder · ‎04-02-2018

any way to update the existing lookup file?

splunker12er · ‎04-02-2018

give the name as the inputlookup file u can still able to edit it

| inputlookup yourtablename.csv
| eval my_time = strptime (date_last, "%Y-%m-%FT%H:%M%S.000Z")
| eval _time = my_time
| outputlookup yourtablename.csv

esmonder · ‎04-02-2018

Thanks it works! 🙂

esmonder · ‎04-02-2018

hmm it seems to work on the search app (i see _time in the table), but when i went to review the csv file with the lookup editor app, the table just doubled in size (2x rows, no new columns).
cant seem to update the original csv file.

splunker12er · ‎04-02-2018

are you trying to read and write to the same lookup file ?

esmonder · ‎04-02-2018

yes i am
/10char

strptime for a existing time field in lookup table and adding new time field (_time) in the same lookup table

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms