Splunk Search

Add a Date field to a ref table that doesn't have a date field that gets updated once a month so that it will can be used as a subquery

pparkerntx99
Explorer

Howdy from Dallas Texas,
I have an employee info table that gets indexed in splunk once a month and has no date field.
This table is used extensively as Subsearch to define specific subsets of employees.
However my problem is that since the table only has a timestamp of when it is loaded each month I have to use custom date for the subsearch from the date range (i.e., earliest=-45d) to include the employee file in my main search.

I have already tried to do a field extraction of the time to add to my index but it did not seem to work.
I'm sure that there is an easy solution but I'm not very experienced with Splunk so Your suggestions/recommendations would be greatly appreciated.
Thanks

0 Karma

lguinn2
Legend

Splunk is really designed to index "events." Events are a record of something interesting that happened at a particular time. For the employee info data, I recommend that you use a lookup. Lookups are fast, and you don't need a sub-search, which will make your searches less complicated. You also don't need to mess with date ranges if you use lookups.

You will need to upload your employee info data to Splunk as a CSV file. You can update the file at will. (It's just a CSV in a particular directory on the Splunk server.)

Here is the best place to learn more, it is a tutorial on lookups: Use Field Lookups

0 Karma

musskopf
Builder

So, Splunk is timebased... I do have similar situations here but I don't see as a problem to use "earliest=-45d" in the subsearch. I normally include a bigger period, lets say that covers 2 or 3 imports, and use a "dedup" to make user I get the last record.

The other alternative is to export the employee data as a lookup table. You could use it in a lookup format or using "inputlookup" command. In both cases, there is no "date"... like that:

index=main <your search> [ inputlookup employees.csv name="John" | return id=employee_id ]

Let me know if that helps.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...