I'm looking to find a way to match up info from one data source that only changes once per day, and another data source that changes frequently. Each night we map `user_id` to `computer_id` and that file gets ingested into Splunk. During the day I have a constant stream of data coming in with mappings of `action_taken` and `computer_id`.
My challenge is that I need to be able to look up the mapping of `user_id` to `action_taken` historically, to within the minute, and through the API.
What is the best way to search/lookup/report that mapping?
Thanks!
↧