I have two related sets of data: Errors and CalcRun. The relationship in SQl speak is Many Errors to a CalcRun. When listing an error or set of errors I need to establish the appropriate CalcRun based on the time stamp.
Example:
Errors table:
CalcRun table:
Required 1 table Splunk output results from these two data inputs:
This is easy to do in SQL with a cursor, any guidance on how to do this in splunk?
I would start with lookups rather than transaction or subsearch. From the Error events, use the _time field to do a temporal lookup for the CalcRun value. This approach will perform well and can be wired to happen automatically. It's all documented here: http://www.splunk.com/base/Documentation/latest/Knowledge/Aboutlookupsandfieldactions