Splunk Search

Cumulative time based (temporal) lookups possible?

phoenixdigital
Builder

I have some data in Splunk that I would like to link to some external CSV files

Splunk events have this format

_time, data, link1

The first CSV will be a time based lookup based on link1

dd/mm/yyyy, link1, link2, link3, data2, data3

The second CSV file will be another time based lookup but using data from first CSV to link (link2, link3)

dd/mm/yyyy, link2, link3, data4, data5

So I have have successfully linked the first CSV via this method
http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Addfieldsfromexternaldatasources#Set_up_...

What I want to know is if these lookups are cumulative?

ie will the second temporal lookup allow the use of results linked from the first lookup?

Or should I just go down the external script lookup route?

Tags (1)
1 Solution

phoenixdigital
Builder

Just posting the solution here in case someone else wants to know how it is done

transforms.conf

[customerLookup]
filename=customer-details.csv
time_field=contract_start
time_format = %d/%m/%Y

[chargesLookup]
filename=charges.csv
time_field=date
time_format = %d/%m/%Y

props.conf

[usage-data]
LOOKUP-customerCSV = customerLookup link1 OUTPUT link2 link3 data2 data3
LOOKUP-injectionChargesCSV = chargesLookup link2 link3 OUTPUT data4 data5

It works perfectly so its good to know this is possible.

View solution in original post

phoenixdigital
Builder

Just posting the solution here in case someone else wants to know how it is done

transforms.conf

[customerLookup]
filename=customer-details.csv
time_field=contract_start
time_format = %d/%m/%Y

[chargesLookup]
filename=charges.csv
time_field=date
time_format = %d/%m/%Y

props.conf

[usage-data]
LOOKUP-customerCSV = customerLookup link1 OUTPUT link2 link3 data2 data3
LOOKUP-injectionChargesCSV = chargesLookup link2 link3 OUTPUT data4 data5

It works perfectly so its good to know this is possible.

gkanapathy
Splunk Employee
Splunk Employee

Yes, they will run in sequence. The order is determined by the lexicographic order, so that LOOKUP-a will run before LOOKUP-b.

phoenixdigital
Builder

Ah good to know about the sequence they are run. Thanks

0 Karma

phoenixdigital
Builder

Scratch that is was an issue with my props.conf

IT WORKS!

0 Karma

phoenixdigital
Builder

I just did a test and it doesnt appear to work. But any suggestion on how to achieve this would be great.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...