Splunk Search
Highlighted

How to fix my time-based lookup?

Legend

Hi at all,
I'm trying to use time based lookups and I found the following problem:
I created a Time Based Lookup and I'm able to show all the lookup fields using the "| inputlookup command"
The problem is that using the lookup in a search I see all fields but not the date.

My lookup has the following fields:
- myfield
- mydate (field used for the time field)
- myfield1

My search is

mysearch | lookup mylookup.csv myfield | table _time myfield mydate myfield1

all the fields have values but not mydate field.
I also tried to transform using eval with no success.

Someone has any idea how to do this?

Thank you.
Bye.
Giuseppe

0 Karma
Highlighted

Re: How to fix my time-based lookup?

Path Finder

It seems that you forgot to specify the OUTPUT fields, try this:

mysearch | lookup mylookup.csv myfield OUTPUT mydate myfield1| table _time myfield mydate myfield1

View solution in original post

0 Karma
Highlighted

Re: How to fix my time-based lookup?

Legend

The strange thing was that my search showed all the other fields but not the field used for the Time Based Lookup!
Everyway, thank you.
Bye.
Giuseppe

0 Karma