My inputlookup csv is in this format:
YEAR, SiteID, earliest_date, latest_date, EVENT_ID
2019, AB111, 1560988800, 1562112000, ABSE00350
2019, AB111, 1562198400, 1563321600, ABSE00351
2019, AB111, 1548892800, 1550016000, ABSE00352
I want to search the 'SiteID' field in an index (which contains this field), and query a KPI avg between the time window of the 'earliest_date' and 'latest_date', and then return the SiteID along with the KPI. So far this works fine. The problem is that if the same SiteID has multiple occurences with different time windows (as shown above), the query only returns a single result.
Output of search query :
SiteID, KPI
AB111, 68.4
Maybe I need to also use some other field to make each occurence unique to the search. I would love to use the 'EVENT_ID' field in the inputlookup to do that, but this field does not exist in the splunk index. Ideally I want to get an output like this:
Ideal Output:
SiteID, KPI, EVENT_ID
AB111, 68.4, ABSE00350
AB111, 74.3, ABSE00351
AB111, 22.1, ABSE00352
Please advise
↧