Databases Reference
In-Depth Information
This would match the appropriate IP address and give us a table like this one:
The query also shows that you could use the same lookup for different fields by
using the
as
keyword in the
lookup
call.
Using time in lookups
A temporal lookup is used to enrich events based on when the event happened.
To accomplish this, we specify the beginning of a time range in the lookup source
and then specify a format for this time in our lookup configuration. Using this
mechanism, lookup values can change over time, even retroactively.
Here is a very simple example to attach a
version
field based on time. Say we have
the following CSV file:
sourcetype,version,time
impl_splunk_gen,1.0,2012-09-19 02:56:30 UTC
impl_splunk_gen,1.1,2012-09-22 12:01:45 UTC
impl_splunk_gen,1.2,2012-09-23 18:12:12 UTC
We then use the lookup configuration in
transforms.conf
to specify which field in
our lookup will be tested against the time in each event and what the format of the
time field will be:
[versions]
filename = versions.csv
time_field = time
time_format = %Y-%m-%d %H:%M:%S %Z
With this in place, we can now use our lookup in search, like so:
sourcetype=impl_splunk_gen error
| lookup versions sourcetype
| timechart count by version
Search WWH ::
Custom Search