I'm looking to find a way to match up info from one data source that only changes once per day, and another data source that changes frequently. Each night we map user_id to computer_id and that file gets ingested into Splunk. During the day I have a constant stream of data coming in with mappings of action_taken and computer_id.
My challenge is that I need to be able to look up the mapping of user_id to action_taken historically, to within the minute, and through the API.
What is the best way to search/lookup/report that mapping?
I think you should use an lookup table and maybe even setup automatic lookup. In a nutshell, the process you have running once a day, generates a .csv file. Setup this .csv as a lookup and have the daily process update the same file. You can also do an automatic lookup which will automatically, include the user_id on every search. Here's what your search will look like. Assume your lookup file is called usermapping.csv
your base search on streaming data | lookup usermapping.csv computer_id OUTPUT user_id | ....