Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to build a lookup table with a condition?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
joydeep741
Path Finder
06-29-2018
01:48 AM
I have a lookup of epoch times:
epoch_time_lookup.csv
Start Time End Time
1529737700 1529737800
1529737600 1529737750
1529737800 1529737900
1529737720 1529737722
I have a search which gives me results with 2 columns. EPOCH TIME and AVAILABILITY
EPOCH AVAIL
1529737700 100
1529737600 100
1529737800 0
1529737720 100
Now I want to build a search, whenever AVAIL == 0 , check if the EPOCH is between any START and END times in epoch_time_lookup.csv lookup.
If yes, make availability 100.
Eg:
index= abc sourcetype=xyz | eval EPOCH = _time | eval AVAILABILITY = availability_field | **eval availability = (if EPOCH in START and END of lookup) ,100, 0)**
Need help in building the logic.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
06-30-2018
09:30 AM
This solution is based on this other Q&A:
https://answers.splunk.com/answers/648345/timechart-volume-per-hour-same-day-over-several-we.html
Try this:
index= abc sourcetype=xyz
| eval AVAILABILITY = availability_field
| eval availability = if([|inputlookup epoch_time_lookup.csv
| rename "Start Time" AS time>, "End Time" AS time<
| format
| rex field=search mode=sed "s/time/_time/g s/\"//g"] ,100, 0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
06-30-2018
09:30 AM
This solution is based on this other Q&A:
https://answers.splunk.com/answers/648345/timechart-volume-per-hour-same-day-over-several-we.html
Try this:
index= abc sourcetype=xyz
| eval AVAILABILITY = availability_field
| eval availability = if([|inputlookup epoch_time_lookup.csv
| rename "Start Time" AS time>, "End Time" AS time<
| format
| rex field=search mode=sed "s/time/_time/g s/\"//g"] ,100, 0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
joydeep741
Path Finder
07-01-2018
06:52 AM
@woodcock
I corrected it. Thanks a lot.
What a genius way of doing this.
Get Updates on the Splunk Community!
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
Introducing the 2024 Splunk MVPs!
We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...
Splunk Custom Visualizations App End of Life
The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...
