You could win up to $50,000 building Splunk apps in the Splunk>Apptitude contest. Learn more »
I've uploaded a few .csv files as lookup tables that have a month-date timestamp column, but I'm not able to get splunk to read that column as a date. I created a lookup definition specifying the time column and input the "%m-%Y" format (ex: 10-2013), but no dice. I had the data in %b-%Y format (ex: Oct-2013) originally, and I've also tried late binding using
| inputlookup building_elec_consumption.csv | eval time=strptime(Month, "%m-%Y") | fields time
but that creates a blank column.
IIRC strptime() has a day granularity, in that it needs at least the day to work properly. One workaround is to append the first day of the month at runtime and key "time" off of that:
| inputlookup month.csv | eval modMonth=Month."-1" | eval time=strptime(modMonth, "%Y-%m-%d")
What does your lookup table look like? Including headers.