Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Day of Week in Columns to Match Day of Week and Return Results

CSULeigh
Explorer
‎08-21-2020 10:59 AM

In my lookup table, I have the days of the week as columns with "Y" or "N" in the field (not able to change this as this is how the data is provided). I would like to return only the results from the lookup table that matches the day of the week and the day of the week columns with "Y". 

I have been looking at using IF statements and Where clauses, but not really getting it. The data columns look like this:

MonTueWedThuFriSatSun
YNYNNNN
NYNYNYN

 

I have been extracting the day by using dayOfWeek=strftime(_time, "%a") from the imbeded search query:

| inputlookup somecsv.csv
| join email [search index=someindex | eval dayOfWeek=strftime(_time, "%a")]
| table or stats (data from inputlookup that matches the days of the week from the search)

This is where I get stuck. Any help will be greatly appreciated. 

Labels (5)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Nisha18789
Builder
‎08-21-2020 03:23 PM

Hi @CSULeigh , not sure if I understand the  ask completely, but have you tried 

 

| inputlookup somecsv.csv
| join type=outer dayOfWeek [search index=someindex | eval dayOfWeek=strftime(_time, "%a")|eval found=1]

|where isnotnull(found)

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-21-2020 12:06 PM
Is the table shown an example lookup table? If so, how are the multiple rows for each day to be interpreted?
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

CSULeigh
Explorer
‎08-21-2020 02:51 PM

Yes the table is an example. There is more data to the tables. Basically anything with a "Y" marked on the day column is when the class will be available. This lookup table has the class data and need to return the class data based on a search of survey data from an index that will have the day that needs to match the lookup data based on the day. I hope this helps.

0 Karma
Reply
Solved! Jump to solution
Solution

Nisha18789
Builder
‎08-21-2020 03:23 PM

Hi @CSULeigh , not sure if I understand the  ask completely, but have you tried 

 

| inputlookup somecsv.csv
| join type=outer dayOfWeek [search index=someindex | eval dayOfWeek=strftime(_time, "%a")|eval found=1]

|where isnotnull(found)

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...