- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use time-base-lookup?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use time-base-lookup?
Hi,Splunk community.
I have a question about time-base-lookup.
I set following attribute to transforms.conf
[test]
collection = test
external_type = kvstore
fields_list = ip,unit,time
time_field = time
time_format = %d/%m/%y/%H
and I set following attribute to collections.conf.
[test]
Result of "| inputlookup test" is following.
ip time unit
192.168.150.81 09/12/14/18 B部
192.168.150.6 09/12/14/18 A部
192.168.150.81 09/12/14/17 D部
192.168.150.6 09/12/14/17 C部
I search by "index=test | lookup test ip".
However lookup does not work.
Why doesn't work?
Is there a way to solve?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You had it right with "| inputlookup test", just continue your search from there or use the lookup table as enrichment to indexed data. Lookups do no go in the index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dolivasoh,Thank you for your response.
I have tried outputting the field as "index=test | lookup test ip output unit | table _time,unit,ip".
However , I don't get "unit" field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try outputting the field you want from the lookup table, lookup {{table_name}} {{input_field}} output {{output_field}}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Results when I search in "index=test | table _time,ip" are following.
results
_time ip
2014-12-09 18:00:01 192.168.150.81
2014-12-09 18:00:01 192.168.150.81
2014-12-09 18:00:01 192.168.150.6
If lookup correctly works , results when I search "index=test | lookup test ip | table _time,unit,ip" are like following.
results
_time unit ip
2014-12-09 18:00:01 B部 192.168.150.81
2014-12-09 18:00:01 B部 192.168.150.81
2014-12-09 18:00:01 A部 192.168.150.6
However , I don't get the above results.
why can't I get the above result?
Results I get are following
results
_time unit ip
2014-12-09 18:00:01 192.168.150.81
2014-12-09 18:00:01 192.168.150.81
2014-12-09 18:00:01 192.168.150.6
Index This | Divide 100 by half. What do you get?
Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!
Splunk and Fraud
