Refine your search:

Data wherehousing - Can Splunk report on previous device-account mapping?

1
1

Suppose that I have events for my devices being splunked and each device is associated with an account ID located in a database.

We have a scenario as follows:

  • - A device starts out associated with one account (say account “A”) from Feb-March

  • - The device THEN gets re-associated to another account (say Account “B”) in April

    Reports generated for Feb-March must associate the Account “A” database information with the device, whereas any report after March must associate the Account “B” database information with the device.

    How would splunk handle this scenario and/or need to be setup to enforce these reporting requirements? Any experience or best practices would be greatly appreciated.

    • asked 28 Feb '11, 16:10

    maverick's gravatar image

    maverick ♦
    2.6k6573
    accept rate: 14%

    One Answer:
    oldestnewestmost voted
    1

    Hey Maverick,

    For this one you'd want a time-based lookup. See docs here: http://www.splunk.com/base/Documentation/latest/Knowledge/Addfieldsfromexternaldatasources#Set_up_a_time-based_fields_lookup

    Look for other answers for best practices on this.

    D

    link

    answered 28 Feb '11, 16:42

    DrewO's gravatar image

    DrewO
    1124
    accept rate: 11%

    So you are saying I could match the event time on a temporal month and year based field? If so, then I could maintain the new mappings as they change in the lookup file, correct?

    (28 Feb '11, 16:51) maverick ♦
    Post your answer
    toggle preview

    Copyright © 2005-2012 Splunk, Inc. All rights reserved.