You could also create a time-based lookup:
http://docs.splunk.com/Documentation/Splunk/6.4.0/Knowledge/Usefieldlookupstoaddinformationtoyourevents#Configure_a_time-based_lookup
http://docs.splunk.com/Documentation/Splunk/6.4.0/Knowledge/Configureatime-boundedlookup
Make sure your max and min offset times are correctly configured. For instance, if max offset is 3600 seconds:
# transforms.conf
[mylookup]
filename = mylookup.csv
max_offset_secs = 3600
time_field = timestamp
time_format = %Y-%m-%d %H:%M:%S
And your lookup is as follows:
timestamp, index, value
2016-04-20 10:00:00, _internal, value1
2016-04-19 09:00:00, _internal, value2
2016-04-10 16:00:00, _internal, value3
And assuming the current date is: 2016-04-21 10:00:00.
Then the following query will only return value1:
index=_internal earliest=-24h | lookup mylookup index OUTPUT value | dedup value | table value
Whereas the following will return no results:
index=_internal earliest=-23h | lookup mylookup index OUTPUT value | dedup value | table value
And the following will return values 1 and 2:
index=_internal earliest=-3d | lookup mylookup index OUTPUT value | dedup value | table value
Hope that helps.
... View more