Why is my lookup(.CSV) search not filtering result...

angelagunn · ‎11-27-2018

I have a CSV lookup table that has 14,610 rows. I want to filter the lookup, so when I use it in my main query, it is looking at <1000 rows. The file is a list of all dates with various date information (quarter, day of week, etc.). I want only the rows from 2017 to the current year.

This is what the file looks like:

id,date_num,date_value,year_month_num,calendar_quarter,month_num,month_name,month_short_name,week_num,day_num_of_year,day_num_of_month,day_num_of_week,day_name,day_short_name,quarter,year_quarter_num,day_num_of_quarter,year,is_weekend
    1,20000101,2000-01-01,200001,Qtr-1,1,January,Jan,52,1,1,7,Saturday,Sat,1,20001,1,2000,1
    2,20000102,2000-01-02,200001,Qtr-1,1,January,Jan,53,2,2,1,Sunday,Sun,1,20001,2,2000,1
    3,20000103,2000-01-03,200001,Qtr-1,1,January,Jan,1,3,3,2,Monday,Mon,1,20001,3,2000,0

This is my query:

| inputlookup d_date_dimensions.csv 
| fields date_value year calendar_quarter
| eval current_year=strftime(now(), "%Y")
| search year>=2017 AND year<=current_year

The results I get are all rows for the year 2017 and higher (8,400 rows). I expect only 730 rows (years 2017 and 2018 rows).

The below two search lines WORK, so I'm not sure why the current_year value used above wouldn't work.

| search year>=2017 AND year<=2018  

| search year>=2017 AND year<="2018"

HiroshiSatoh · ‎11-27-2018

I think current_year is treated as a character string.
Please try using the WHERE clause or specify a direct value("2018").

Why is my lookup(.CSV) search not filtering results?

This is what the file looks like:

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases