Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Cumulative time based (temporal) lookups possible?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have some data in Splunk that I would like to link to some external CSV files
Splunk events have this format
_time, data, link1
The first CSV will be a time based lookup based on link1
dd/mm/yyyy, link1, link2, link3, data2, data3
The second CSV file will be another time based lookup but using data from first CSV to link (link2, link3)
dd/mm/yyyy, link2, link3, data4, data5
So I have have successfully linked the first CSV via this method
http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Addfieldsfromexternaldatasources#Set_up_...
What I want to know is if these lookups are cumulative?
ie will the second temporal lookup allow the use of results linked from the first lookup?
Or should I just go down the external script lookup route?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just posting the solution here in case someone else wants to know how it is done
transforms.conf
[customerLookup]
filename=customer-details.csv
time_field=contract_start
time_format = %d/%m/%Y
[chargesLookup]
filename=charges.csv
time_field=date
time_format = %d/%m/%Y
props.conf
[usage-data]
LOOKUP-customerCSV = customerLookup link1 OUTPUT link2 link3 data2 data3
LOOKUP-injectionChargesCSV = chargesLookup link2 link3 OUTPUT data4 data5
It works perfectly so its good to know this is possible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just posting the solution here in case someone else wants to know how it is done
transforms.conf
[customerLookup]
filename=customer-details.csv
time_field=contract_start
time_format = %d/%m/%Y
[chargesLookup]
filename=charges.csv
time_field=date
time_format = %d/%m/%Y
props.conf
[usage-data]
LOOKUP-customerCSV = customerLookup link1 OUTPUT link2 link3 data2 data3
LOOKUP-injectionChargesCSV = chargesLookup link2 link3 OUTPUT data4 data5
It works perfectly so its good to know this is possible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, they will run in sequence. The order is determined by the lexicographic order, so that LOOKUP-a will run before LOOKUP-b.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah good to know about the sequence they are run. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Scratch that is was an issue with my props.conf
IT WORKS!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just did a test and it doesnt appear to work. But any suggestion on how to achieve this would be great.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
