Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use time-base-lookup?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use time-base-lookup?
akanno
Communicator
12-10-2014
10:19 PM
Hi,Splunk community.
I have a question about time-base-lookup.
I set following attribute to transforms.conf
[test]
collection = test
external_type = kvstore
fields_list = ip,unit,time
time_field = time
time_format = %d/%m/%y/%H
and I set following attribute to collections.conf.
[test]
Result of "| inputlookup test" is following.
ip time unit
192.168.150.81 09/12/14/18 B部
192.168.150.6 09/12/14/18 A部
192.168.150.81 09/12/14/17 D部
192.168.150.6 09/12/14/17 C部
I search by "index=test | lookup test ip".
However lookup does not work.
Why doesn't work?
Is there a way to solve?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dolivasoh
Contributor
12-31-2014
06:54 PM
You had it right with "| inputlookup test", just continue your search from there or use the lookup table as enrichment to indexed data. Lookups do no go in the index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
akanno
Communicator
01-05-2015
04:44 PM
dolivasoh,Thank you for your response.
I have tried outputting the field as "index=test | lookup test ip output unit | table _time,unit,ip".
However , I don't get "unit" field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dolivasoh
Contributor
01-05-2015
09:00 AM
Try outputting the field you want from the lookup table, lookup {{table_name}} {{input_field}} output {{output_field}}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
akanno
Communicator
01-04-2015
06:08 PM
Results when I search in "index=test | table _time,ip" are following.
results
_time ip
2014-12-09 18:00:01 192.168.150.81
2014-12-09 18:00:01 192.168.150.81
2014-12-09 18:00:01 192.168.150.6
If lookup correctly works , results when I search "index=test | lookup test ip | table _time,unit,ip" are like following.
results
_time unit ip
2014-12-09 18:00:01 B部 192.168.150.81
2014-12-09 18:00:01 B部 192.168.150.81
2014-12-09 18:00:01 A部 192.168.150.6
However , I don't get the above results.
why can't I get the above result?
Results I get are following
results
_time unit ip
2014-12-09 18:00:01 192.168.150.81
2014-12-09 18:00:01 192.168.150.81
2014-12-09 18:00:01 192.168.150.6
Get Updates on the Splunk Community!
Index This | What did the zero say to the eight?
June 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...
This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Now Playing: Splunk Education Summer Learning Premieres
It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...
