Solved: How to fix my time-based lookup?

gcusello · ‎09-16-2016

Hi at all,
I'm trying to use time based lookups and I found the following problem:
I created a Time Based Lookup and I'm able to show all the lookup fields using the "| inputlookup command"
The problem is that using the lookup in a search I see all fields but not the date.

My lookup has the following fields:
- myfield
- mydate (field used for the time field)
- myfield1

My search is

mysearch | lookup mylookup.csv myfield | table _time myfield mydate myfield1

all the fields have values but not mydate field.
I also tried to transform using eval with no success.

Someone has any idea how to do this?

Thank you.
Bye.
Giuseppe

haley_swarnapat · ‎09-16-2016

It seems that you forgot to specify the OUTPUT fields, try this:

mysearch | lookup mylookup.csv myfield OUTPUT mydate myfield1| table _time myfield mydate myfield1

View solution in original post

haley_swarnapat · ‎09-16-2016

It seems that you forgot to specify the OUTPUT fields, try this:

mysearch | lookup mylookup.csv myfield OUTPUT mydate myfield1| table _time myfield mydate myfield1

gcusello · ‎09-19-2016

The strange thing was that my search showed all the other fields but not the field used for the Time Based Lookup!
Everyway, thank you.
Bye.
Giuseppe

How to fix my time-based lookup?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk