Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to use time-base-lookup?

akanno
Communicator
‎12-10-2014 10:19 PM

Hi,Splunk community.

I have a question about time-base-lookup.

I set following attribute to transforms.conf

[test]
collection = test
external_type = kvstore
fields_list = ip,unit,time
time_field = time
time_format = %d/%m/%y/%H

and I set following attribute to collections.conf.

[test]

Result of "| inputlookup test" is following.

ip time unit
192.168.150.81 09/12/14/18 B部
192.168.150.6 09/12/14/18 A部
192.168.150.81 09/12/14/17 D部
192.168.150.6 09/12/14/17 C部

I search by "index=test | lookup test ip".
However lookup does not work.

Why doesn't work?
Is there a way to solve?

Tags (1)
0 Karma
Reply

dolivasoh
Contributor
‎12-31-2014 06:54 PM

You had it right with "| inputlookup test", just continue your search from there or use the lookup table as enrichment to indexed data. Lookups do no go in the index.

0 Karma
Reply

akanno
Communicator
‎01-05-2015 04:44 PM

dolivasoh,Thank you for your response.

I have tried outputting the field as "index=test | lookup test ip output unit | table _time,unit,ip".

However , I don't get "unit" field.

0 Karma
Reply

dolivasoh
Contributor
‎01-05-2015 09:00 AM

Try outputting the field you want from the lookup table, lookup {{table_name}} {{input_field}} output {{output_field}}

0 Karma
Reply

akanno
Communicator
‎01-04-2015 06:08 PM

Results when I search in "index=test | table _time,ip" are following.

results
_time ip
2014-12-09 18:00:01 192.168.150.81
2014-12-09 18:00:01 192.168.150.81
2014-12-09 18:00:01 192.168.150.6

If lookup correctly works , results when I search "index=test | lookup test ip | table _time,unit,ip" are like following.

results
_time unit ip
2014-12-09 18:00:01 B部 192.168.150.81
2014-12-09 18:00:01 B部 192.168.150.81
2014-12-09 18:00:01 A部 192.168.150.6

However , I don't get the above results.
why can't I get the above result?
Results I get are following

results
_time unit ip
2014-12-09 18:00:01 192.168.150.81
2014-12-09 18:00:01 192.168.150.81
2014-12-09 18:00:01 192.168.150.6

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...