I hope this information provides you with your answer. Explanation: As you know in the previous step we uploaded a lookup file name statuscode.csv, by using the inputlookup command we are viewing the content of that lookup file as simply as you see. | where ( >= info_min_time AND <= info_max_time) If you HAVE included a time field in your lookup then you can also use 's solution above: Once you have a time field, you can re-map it to the _time field, which should allow you to use search (you don't need latest=now(), Splunk assumes that if you don't provide a latest= statement).
SPLUNK INPUTLOOKUP UPDATE
You would need some logic that executes when you update / create your lookup to add a time value that equates to the execution time of the creation / update of the lookup. Even if it DOES reference a time value, it may not be the time value you are thinking of. This means that the owner also defines which fields to include in the lookup, which may or may not (most do not) have a field that references a time value. Please provide me a query to display the value of Field 3 for corresponding Field1 and Field2 values using inputlookup or lookup command. Lookup files are basically state tables that the owner defines and updates. Attached screenshot is the data of my csv file. To find the shopper who accessed the online shop the most, use this search.
Use the top command to return the most frequent shopper. If you have not included a time value anywhere in your lookup, then you cannot do this. Example 1: Search without a subsearch You want to find the single most frequent shopper on the Buttercup Games online store and what that shopper has purchased.
0 kommentar(er)
