Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use time-base-lookup?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use time-base-lookup?
akanno
Communicator
12-10-2014
10:19 PM
Hi,Splunk community.
I have a question about time-base-lookup.
I set following attribute to transforms.conf
[test]
collection = test
external_type = kvstore
fields_list = ip,unit,time
time_field = time
time_format = %d/%m/%y/%H
and I set following attribute to collections.conf.
[test]
Result of "| inputlookup test" is following.
ip time unit
192.168.150.81 09/12/14/18 B部
192.168.150.6 09/12/14/18 A部
192.168.150.81 09/12/14/17 D部
192.168.150.6 09/12/14/17 C部
I search by "index=test | lookup test ip".
However lookup does not work.
Why doesn't work?
Is there a way to solve?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dolivasoh
Contributor
12-31-2014
06:54 PM
You had it right with "| inputlookup test", just continue your search from there or use the lookup table as enrichment to indexed data. Lookups do no go in the index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
akanno
Communicator
01-05-2015
04:44 PM
dolivasoh,Thank you for your response.
I have tried outputting the field as "index=test | lookup test ip output unit | table _time,unit,ip".
However , I don't get "unit" field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dolivasoh
Contributor
01-05-2015
09:00 AM
Try outputting the field you want from the lookup table, lookup {{table_name}} {{input_field}} output {{output_field}}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
akanno
Communicator
01-04-2015
06:08 PM
Results when I search in "index=test | table _time,ip" are following.
results
_time ip
2014-12-09 18:00:01 192.168.150.81
2014-12-09 18:00:01 192.168.150.81
2014-12-09 18:00:01 192.168.150.6
If lookup correctly works , results when I search "index=test | lookup test ip | table _time,unit,ip" are like following.
results
_time unit ip
2014-12-09 18:00:01 B部 192.168.150.81
2014-12-09 18:00:01 B部 192.168.150.81
2014-12-09 18:00:01 A部 192.168.150.6
However , I don't get the above results.
why can't I get the above result?
Results I get are following
results
_time unit ip
2014-12-09 18:00:01 192.168.150.81
2014-12-09 18:00:01 192.168.150.81
2014-12-09 18:00:01 192.168.150.6
Get Updates on the Splunk Community!
Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...
This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Community Badges!
Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
