I have some data in Splunk that I would like to link to some external CSV files
Splunk events have this format
_time, data, link1
The first CSV will be a time based lookup based on link1
dd/mm/yyyy, link1, link2, link3, data2, data3
The second CSV file will be another time based lookup but using data from first CSV to link (link2, link3)
dd/mm/yyyy, link2, link3, data4, data5
So I have have successfully linked the first CSV via this method http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Addfieldsfromexternaldatasources#Set_up_a_time-based_fields_lookup
What I want to know is if these lookups are cumulative?
ie will the second temporal lookup allow the use of results linked from the first lookup?
Or should I just go down the external script lookup route?
