https://community.splunk.com/t5/Splunk-Search/How-do-I-merge-lookup-table-and-index-results/m-p/324032#M96716 <P>You would need to setup time-based lookup. See this for more information.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Configureatime-boundedlookup">https://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Configureatime-boundedlookup</A></P> <P>Your lookup should have a time field with epoch format value (not string). Once it's configured, you just need to do a <CODE>|lookup</CODE> (no joins required).</P> Thu, 07 Dec 2017 15:36:29 GMT somesoni2 2017-12-07T15:36:29Z https://community.splunk.com/t5/Splunk-Search/How-do-I-merge-lookup-table-and-index-results/m-p/324030#M96714 <P>Hi.<BR /> To start with, I have a lookup table like so.<BR /> keyValue.csv<BR /> <CODE>date key value</CODE><BR /> <CODE>01/01/2017 EE Enterprise Edition</CODE><BR /> <CODE>01/03/2017 EE Edited Edition</CODE><BR /> <CODE>01/05/2017 EE Epsilon Edition</CODE></P> <P>Now, we see that the value for the key <CODE>EE</CODE> changes twice.<BR /> For events coming from an index, I have _time and a field called 'Name'.<BR /> Like this.<BR /> index=event_container<BR /> <CODE>_time Name</CODE><BR /> <CODE>01/12/2016 EE</CODE><BR /> <CODE>01/02/2017 EE</CODE><BR /> <CODE>01/04/2017 EE</CODE><BR /> <CODE>01/12/2017 EE</CODE></P> <P>What I'm looking to do is, retrieve the value from the lookup for the "Name" in the event, and display it along side the Name, but with the time in consideration. Hence:</P> <P><CODE>_time Name Description</CODE><BR /> <CODE>01/12/2016 EE (whatever previous value if it existed)</CODE><BR /> <CODE>01/02/2017 EE Enterprise Edition</CODE><BR /> <CODE>01/04/2017 EE Edited Edition</CODE><BR /> <CODE>01/12/2017 EE Epsilon Edition</CODE></P> <P>what I have so far is: <CODE>index=event_container | lookup keyValue.csv date key value | join type=inner _time | table _time, Name, value | rename value as Description</CODE><BR /> Thank you.<BR /> -SnipeDown21</P> Tue, 29 Sep 2020 17:06:21 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-merge-lookup-table-and-index-results/m-p/324030#M96714 snipedown21 2020-09-29T17:06:21Z https://community.splunk.com/t5/Splunk-Search/How-do-I-merge-lookup-table-and-index-results/m-p/324031#M96715 <P>Hi @snipedown21,</P> <P>I am bit confused about what you want to achieve because you have mentioned that <CODE>Name</CODE> and <CODE>_time</CODE> field should be match with lookup table <CODE>key</CODE> and <CODE>date</CODE> fields then your output will be something like this</P> <PRE><CODE>_time Name Description 01/12/2016 EE NULL 01/01/2017 EE Enterprise Edition 01/03/2017 EE Edited Edition 01/05/2017 EE Epsilon Edition </CODE></PRE> <P>Can you please clarify on this?</P> Thu, 07 Dec 2017 14:35:54 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-merge-lookup-table-and-index-results/m-p/324031#M96715 harsmarvania57 2017-12-07T14:35:54Z https://community.splunk.com/t5/Splunk-Search/How-do-I-merge-lookup-table-and-index-results/m-p/324032#M96716 <P>You would need to setup time-based lookup. See this for more information.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Configureatime-boundedlookup">https://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Configureatime-boundedlookup</A></P> <P>Your lookup should have a time field with epoch format value (not string). Once it's configured, you just need to do a <CODE>|lookup</CODE> (no joins required).</P> Thu, 07 Dec 2017 15:36:29 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-merge-lookup-table-and-index-results/m-p/324032#M96716 somesoni2 2017-12-07T15:36:29Z https://community.splunk.com/t5/Splunk-Search/How-do-I-merge-lookup-table-and-index-results/m-p/324033#M96717 <P>The Name and _time will be variables looked up in the lookup table called keyValue.csv and the appropriate value(for the key and the date range) will be picked and returned to the table.</P> Fri, 08 Dec 2017 03:55:11 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-merge-lookup-table-and-index-results/m-p/324033#M96717 snipedown21 2017-12-08T03:55:11Z https://community.splunk.com/t5/Splunk-Search/How-do-I-merge-lookup-table-and-index-results/m-p/324034#M96718 <P>Yes. I read that link and looks like I need that, but I need help with the query as well. What I have doesn't seem to work currently.</P> Fri, 08 Dec 2017 03:57:43 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-merge-lookup-table-and-index-results/m-p/324034#M96718 snipedown21 2017-12-08T03:57:43Z