Suppose that I have events for my devices being splunked and each device is associated with an account ID located in a database.
We have a scenario as follows:
For this one you'd want a time-based lookup. See docs here: http://www.splunk.com/base/Documentation/latest/Knowledge/Addfieldsfromexternaldatasources#Set_up_a_...
Look for other answers for best practices on this.
So you are saying I could match the event time on a temporal month and year based field? If so, then I could maintain the new mappings as they change in the lookup file, correct?