Hi.
To start with, I have a lookup table like so.
keyValue.csv
`date key value`
`01/01/2017 EE Enterprise Edition`
`01/03/2017 EE Edited Edition`
`01/05/2017 EE Epsilon Edition`
Now, we see that the value for the key `EE` changes twice.
For events coming from an index, I have _time and a field called 'Name'.
Like this.
index=event_container
`_time Name`
`01/12/2016 EE`
`01/02/2017 EE`
`01/04/2017 EE`
`01/12/2017 EE`
What I'm looking to do is, retrieve the value from the lookup for the "Name" in the event, and display it along side the Name, but with the time in consideration. Hence:
`_time Name Description`
`01/12/2016 EE (whatever previous value if it existed)`
`01/02/2017 EE Enterprise Edition`
`01/04/2017 EE Edited Edition`
`01/12/2017 EE Epsilon Edition`
what I have so far is: `index=event_container | lookup keyValue.csv date key value | join type=inner _time | table _time, Name, value | rename value as Description`
Thank you.
-SnipeDown21
↧