https://community.splunk.com/t5/Splunk-Search/Add-a-Date-field-to-a-ref-table-that-doesn-t-have-a-date-field/m-p/111477#M29213 <P>Howdy from Dallas Texas,<BR /> I have an employee info table that gets indexed in splunk once a month and has no date field.<BR /> This table is used extensively as Subsearch to define specific subsets of employees.<BR /> However my problem is that since the table only has a timestamp of when it is loaded each month I have to use custom date for the subsearch from the date range (i.e., earliest=-45d) to include the employee file in my main search.<BR /><BR /> I have already tried to do a field extraction of the time to add to my index but it did not seem to work.<BR /> I'm sure that there is an easy solution but I'm not very experienced with Splunk so Your suggestions/recommendations would be greatly appreciated.<BR /> Thanks</P> Thu, 04 Sep 2014 14:36:44 GMT pparkerntx99 2014-09-04T14:36:44Z https://community.splunk.com/t5/Splunk-Search/Add-a-Date-field-to-a-ref-table-that-doesn-t-have-a-date-field/m-p/111477#M29213 <P>Howdy from Dallas Texas,<BR /> I have an employee info table that gets indexed in splunk once a month and has no date field.<BR /> This table is used extensively as Subsearch to define specific subsets of employees.<BR /> However my problem is that since the table only has a timestamp of when it is loaded each month I have to use custom date for the subsearch from the date range (i.e., earliest=-45d) to include the employee file in my main search.<BR /><BR /> I have already tried to do a field extraction of the time to add to my index but it did not seem to work.<BR /> I'm sure that there is an easy solution but I'm not very experienced with Splunk so Your suggestions/recommendations would be greatly appreciated.<BR /> Thanks</P> Thu, 04 Sep 2014 14:36:44 GMT https://community.splunk.com/t5/Splunk-Search/Add-a-Date-field-to-a-ref-table-that-doesn-t-have-a-date-field/m-p/111477#M29213 pparkerntx99 2014-09-04T14:36:44Z https://community.splunk.com/t5/Splunk-Search/Add-a-Date-field-to-a-ref-table-that-doesn-t-have-a-date-field/m-p/111478#M29214 <P>So, Splunk is timebased... I do have similar situations here but I don't see as a problem to use "earliest=-45d" in the subsearch. I normally include a bigger period, lets say that covers 2 or 3 imports, and use a "dedup" to make user I get the last record.</P> <P>The other alternative is to export the employee data as a lookup table. You could use it in a lookup format or using "inputlookup" command. In both cases, there is no "date"... like that:</P> <P><CODE>index=main &lt;your search&gt; [ inputlookup employees.csv name="John" | return id=employee_id ]</CODE></P> <P>Let me know if that helps.</P> Fri, 05 Sep 2014 00:31:06 GMT https://community.splunk.com/t5/Splunk-Search/Add-a-Date-field-to-a-ref-table-that-doesn-t-have-a-date-field/m-p/111478#M29214 musskopf 2014-09-05T00:31:06Z https://community.splunk.com/t5/Splunk-Search/Add-a-Date-field-to-a-ref-table-that-doesn-t-have-a-date-field/m-p/111479#M29215 <P>Splunk is really designed to index "events." Events are a record of something interesting that happened at a particular time. For the employee info data, I recommend that you use a lookup. Lookups are fast, and you don't need a sub-search, which will make your searches less complicated. You also don't need to mess with date ranges if you use lookups.</P> <P>You will need to upload your employee info data to Splunk as a CSV file. You can update the file at will. (It's just a CSV in a particular directory on the Splunk server.)</P> <P>Here is the best place to learn more, it is a tutorial on lookups: <A href="http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchTutorial/Usefieldlookups">Use Field Lookups</A></P> Sat, 06 Sep 2014 23:53:10 GMT https://community.splunk.com/t5/Splunk-Search/Add-a-Date-field-to-a-ref-table-that-doesn-t-have-a-date-field/m-p/111479#M29215 lguinn2 2014-09-06T23:53:10Z