Splunk Search

Need ideas for lookups

Contributor

All,

I am correlating two non-related data types. Email to ERP Customers. I am going to accomplish this by referencing the recipient email address in the ERP customer information.

What I did was load all the ERP customer information into splunk, and then attempted to join them:

get_outbound_email | join recipientlist [search sourcetype="SalesGroups" |eval recipientlist=lower(recipientlist)]  

This actually worked pretty good. Then I ran into a a snag. I want relevant email (current) but the "SalesGroup" information is going to be loaded weekly. So, when I correlate events in the last 4 hours, or even 24 hours, the results are blank because splunk is trying to query the "SalesGroup" source for that time frame too.

I don't think a CSV lookup will suffice in this case, because it's 400k records. However, if it will I can attemp that route.

If I could ignore time on the subsearch, that would be ideal.

Thanks for the ideas!

Tags (2)
0 Karma
1 Solution

Contributor

BAH! That was too easy. earliest=-7d in the search string will work.

View solution in original post

0 Karma

Contributor

BAH! That was too easy. earliest=-7d in the search string will work.

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!