Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Define a time-based lookup in Splunk Web

If your lookup table has a field that represents time, you can use it to create a time-bounded lookup; which is also referred to as a temporal lookup. You can define CSV lookups, external lookups, and KV Store lookups as time-based lookups, but you cannot define a geospatial lookup as a time-based lookup.

Prerequisites
Review the following topics:

Create a time-based lookup

  1. Select Settings > Lookups.
  2. Click Lookup definitions.
  3. Click the lookup that you want to define as a time-based lookup.
  4. Click the Configure time-based lookup checkbox.
  5. Enter the name of the field in the lookup table that represents the timestamp.
  6. Enter the time format of the timestamp field. The default format is UTC time.
  7. Enter the minimum time in seconds that the event time can be ahead of the lookup entry time for a match to occur. The default is 0.
  8. Enter the maximum time in seconds that the event time can be ahead of lookup entry time for a match to occur. The default is 2000000000.
  9. Click Save.

The Lookup definition page appears, and the lookup that you defined is listed.

PREVIOUS
Define a geospatial lookup in Splunk Web
  NEXT
Define an automatic lookup in Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters