I'm looking to find a way to match up info from one data source that only changes once per day, and another data source that changes frequently. Each night we map user_id to computer_id and that file gets ingested into Splunk. During the day I have a constant stream of data coming in with mappings of action_taken and computer_id .
My challenge is that I need to be able to look up the mapping of user_id to action_taken historically, to within the minute, and through the API.
What is the best way to search/lookup/report that mapping?
Thanks!
... View more