Splunk® Enterprise

Knowledge Manager Manual

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Configure a time-based lookup

If your lookup table has a field that represents time, you can use it to create a time-bounded lookup. This is also referred to as a temporal lookup. You can configure all four lookup types as time-bounded lookups.

To create a time-bounded lookup, add the following lines to your lookup stanza in transforms.conf:

time_field = <field_name>
time_format = <string>

If the time_field attribute is present, max_matches = 1 by default and Splunk software applies the first matching entry in descending order. For more information about max_matches see "Add field matching rules to your lookup configuration," in this manual.

The time_format attribute specifies the strptime() format of the time_field attribute. The default value for the time_format attribute is %s.%Q, where you enter a Unix epoch time value in seconds (%s) and can optionally include milliseconds (%Q).

Note: You can use some nonstandard date-time strptime() formats. For example, when you define ISO 8601 timestamps (a Unix epoch time value in seconds), you can use time_format = '%s.%Q', where %s represents seconds and %Q represents milliseconds. See the subtopic "Enhanced strptime() support" in "Configure timestamp recognition," in the Getting Data In Manual.

For a match to occur with time-bounded lookups, you can also specify offsets for the minimum and maximum amounts of time that an event may be later than a lookup entry. To do this, add the following lines to your stanza:

max_offset_secs = <integer>
min_offset_secs = <integer>

By default there is no maximum offset. The default minimum offset is 0.

Time-based lookup example

Here's an example of a CSV lookup that uses DHCP logs to identify users on a network based on their IP address and the timestamp. The DHCP logs are in a file, dhcp.csv, which contains the timestamp, IP address, and the user's name and MAC address.



  1. In a transforms.conf file, put:
    filename = dhcp.csv
    time_field = timestamp
    time_format = %d/%m/%y %H:%M:%S
  2. In a props.conf file, make the lookup automatic:
    LOOKUP-table = dhcpLookup ip mac OUTPUT user

  3. Restart Splunk Enterprise.
Last modified on 23 May, 2017
Add field matching rules to your lookup configuration
Make your lookup automatic

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters