Splunk Search

How to fix my time-based lookup?

gcusello
SplunkTrust
SplunkTrust

Hi at all,
I'm trying to use time based lookups and I found the following problem:
I created a Time Based Lookup and I'm able to show all the lookup fields using the "| inputlookup command"
The problem is that using the lookup in a search I see all fields but not the date.

My lookup has the following fields:
- myfield
- mydate (field used for the time field)
- myfield1

My search is

mysearch | lookup mylookup.csv myfield | table _time myfield mydate myfield1

all the fields have values but not mydate field.
I also tried to transform using eval with no success.

Someone has any idea how to do this?

Thank you.
Bye.
Giuseppe

0 Karma
1 Solution

haley_swarnapat
Path Finder

It seems that you forgot to specify the OUTPUT fields, try this:

mysearch | lookup mylookup.csv myfield OUTPUT mydate myfield1| table _time myfield mydate myfield1

View solution in original post

0 Karma

haley_swarnapat
Path Finder

It seems that you forgot to specify the OUTPUT fields, try this:

mysearch | lookup mylookup.csv myfield OUTPUT mydate myfield1| table _time myfield mydate myfield1

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

The strange thing was that my search showed all the other fields but not the field used for the Time Based Lookup!
Everyway, thank you.
Bye.
Giuseppe

0 Karma