Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Temporal Lookups

craigmunro
Path Finder
‎02-28-2011 06:07 PM

Hi, I was hoping to use a lookup table to add some fields but it doesn't seem to do quite what I was hoping.

I have the following file, lookup.csv:

timestamp,host,env
2010-02-28 17:26:00,host1,dev
2010-02-28 16:50:00,host2,uat
2010-02-28 16:34:00,host1,uat

and I would like events from host1 to have the field env=uat for events up until 17:26 and env=dev for events after that. Instead all events have the field env=dev.

My transforms.conf looks like:

[mylookup]
filename = lookup.csv
time_field = timestamp
time_format = %Y-%m-%d %H:%M:%S
default_match = unknown
case_sensitive_match = false

Is this expected? Is there another way to achieve what I'm looking for?

Thanks

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎02-28-2011 06:37 PM

The stanza above should be in transforms.conf, since it defines the lookup table. To make it apply for a given sourcetype, you should add to props.conf:

[<sourcetype>]
LOOKUP-env = mylookup host OUTPUT env

Editing to include new findings:

  1. I can't reproduce the problem using time_format and rendered time, provided I change it to 2011, not 2010 (I haven't tried with 2010).
  2. It works if I use UTC epoch time, like 1298942760,host1,dev and take out the time_format attribute in transforms.conf.

Are you sure that you're looking at data from 2010 and not 2011?

View solution in original post

Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎02-28-2011 06:37 PM

The stanza above should be in transforms.conf, since it defines the lookup table. To make it apply for a given sourcetype, you should add to props.conf:

[<sourcetype>]
LOOKUP-env = mylookup host OUTPUT env

Editing to include new findings:

  1. I can't reproduce the problem using time_format and rendered time, provided I change it to 2011, not 2010 (I haven't tried with 2010).
  2. It works if I use UTC epoch time, like 1298942760,host1,dev and take out the time_format attribute in transforms.conf.

Are you sure that you're looking at data from 2010 and not 2011?

Reply
Solved! Jump to solution

craigmunro
Path Finder
‎03-01-2011 05:51 PM

Yes, that did it. Changing to the correct year (!) and using UTC time everything now works.

Thanks!

Reply
Solved! Jump to solution

craigmunro
Path Finder
‎03-01-2011 09:22 AM

Thanks Stephen, actually the stanza is in transforms.conf and I have the correct entry in props.conf I've corrected my question.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...