Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timestamp for values in a lookup table

kiranpatil1985
New Member
‎05-02-2019 12:43 PM

Is there any way I can find out when was a particular value entered into a Lookup table? My search query depends on the date values was created/entered in a lookup table.
Thanks in advance.

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-04-2019 01:09 PM

Not unless it was included when the event was written. It is possible, though, that the _raw field was accidentally included in the file but you will not see it unless you do | rename _* AS invisible_* and if you have that, you can probably find the timestamp inside of the raw event.

0 Karma
Reply

somesoni2
Revered Legend
‎05-02-2019 02:16 PM

If your lookup table values doesn't contain the timestamp itself, you won't be able to know when an entry was entered. A lookup is a static csv file (assuming it's a file based lookup), and it has no historical reference to previous state.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...