![]() ![]() There is also a min_offset_secs, which defaults to 0. ![]() The max_offset_data defaults to 2000000000 (two billion). This property will even match events occurring outside the exact time frame you searched by the max number of seconds you set. *This time_format is strptime format time_format otherwise defaults to epoch timeĪdditionally, if you wanted to be more lenient in time frames, you can set the max_offset_secs. To do this, add the following stanza to your nf : The search will return all data inputs that occurred. Therefore, if you wanted to see all data input for the past 24 hours, 90 days, etc., you can search your lookup for that time range. Your lookup table could look something like: Once you submit, the data will actually be saved into a lookup table, including a timestamp. LOOKUP-http = http_status_description.csv userid AS myuserid OUTPUT username AS myusernameīut what if you need a time-based lookup? For example, you have a dashboard with a form that allows employees to submit data on a daily basis. The following stanza would be added to your nf file:įinally, a lookup statement would be added to the nf file to do an automatic lookup The CSV file for this lookup table would look something like this: Say you want an HTTP status code of 202 to appear in a new field called “http_description” as “Success”. Lookups are located in the lookups directory in the app ($SPLUNK_HOME/etc/apps//lookups). You can create fields to add to your events from a Python command or CSV file. And in Splunk, lookup tables are the secret to data enrichment.įor those of you who may be new to Splunk, lookups are tables that allow you to enhance your data. "That’s the secret to life" as Snoopy says. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |