Following your suggestion, i've tried the following:
collection definition
[cdp_proxy]
enforceTypes = true
field.src_ip = string
field.username = string
field.first_seen = time
field.last_seen = time
kvstore lookup definition
[cdp_proxy]
collection = cdp_proxy
external_type = kvstore
fields_list = _key, src_ip, username, first_seen, last_seen
time-based kvstore lookup definition
[cdp_proxy_time]
collection = cdp_proxy
external_type = kvstore
fields_list = _key, src_ip, username, first_seen, last_seen
time_field = last_seen
| inputlookup cdp_proxy (kvstore lookup)
last_seen src_ip username
1421664188 10.15.182.115 carvajp6
1421664638 10.15.182.115 carvajp6
| inputlookup cdp_proxy_time (time-based kvstore lookup)
last_seen src_ip username
1421664188 10.15.182.115 carvajp6
1421664638 10.15.182.115 carvajp6
kvstore lookup command
...
| lookup cdp_proxy src_ip username output last_seen as active_session
time-based kvstore lookup command
...
| lookup cdp_proxy_time src_ip username output last_seen as active_session
result: doing the same search and a similar lookup command, the time-based kvstore case has a null active_session field while the kvstore case has the two lookup values there.
this is strange. 😞
... View more