| where ( >= info_min_time AND <= info_max_time) If you HAVE included a time field in your lookup then you can also use 's solution above: Once you have a time field, you can re-map it to the _time field, which should allow you to use search (you don't need latest=now(), Splunk assumes that if you don't provide a latest= statement).
#Splunk inputlookup update#
You would need some logic that executes when you update / create your lookup to add a time value that equates to the execution time of the creation / update of the lookup. Even if it DOES reference a time value, it may not be the time value you are thinking of. To find the shopper who accessed the online shop the most, use this search. Use the top command to return the most frequent shopper. This means that the owner also defines which fields to include in the lookup, which may or may not (most do not) have a field that references a time value. Example 1: Search without a subsearch You want to find the single most frequent shopper on the Buttercup Games online store and what that shopper has purchased.
One possible search is: sourcetypemail lookup searchip ip OUTPUT. You are now ready to use your file as input to search for all events that contain ip addresses that were in your CSV file.
Lookup files are basically state tables that the owner defines and updates. Now, from your browser, log into Splunk and reload the nf and nf file for your new additions: sourcetypemail extract reloadtrue. If you have not included a time value anywhere in your lookup, then you cannot do this.
0 kommentar(er)
