Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Download topic as PDF

Configure a time-based lookup

If your lookup table has a field that represents time, you can use it to create a time-bounded lookup. This is also referred to as a temporal lookup. You can configure all four lookup types as time-bounded lookups.

To create a time-bounded lookup, add the following lines to your lookup stanza in transforms.conf: 

time_field = <field_name>
time_format = <string>

If the time_field attribute is present, max_matches = 1 by default and Splunk software applies the first matching entry in descending order. For more information about max_matches see "Add field matching rules to your lookup configuration," in this manual.

The time_format attribute specifies the strptime() format of the time_field attribute. The default value for the time_format attribute is %s.%Q, where you enter a Unix epoch time value in seconds (%s) and can optionally include milliseconds (%Q).

Note: You can use some nonstandard date-time strptime() formats. For example, when you define ISO 8601 timestamps (a Unix epoch time value in seconds), you can use time_format = '%s.%Q', where %s represents seconds and %Q represents milliseconds. See the subtopic "Enhanced strptime() support" in "Configure timestamp recognition," in the Getting Data In Manual.

For a match to occur with time-bounded lookups, you can also specify offsets for the minimum and maximum amounts of time that an event may be later than a lookup entry. To do this, add the following lines to your stanza: 

max_offset_secs = <integer>
min_offset_secs = <integer>

By default there is no maximum offset. The default minimum offset is 0.

Time-based lookup example

Here's an example of a CSV lookup that uses DHCP logs to identify users on a network based on their IP address and the timestamp. The DHCP logs are in a file, dhcp.csv, which contains the timestamp, IP address, and the user's name and MAC address.

Prerequisities

Steps

  1. In a transforms.conf file, put: 
    [dhcpLookup]
filename = dhcp.csv
time_field = timestamp
time_format = %d/%m/%y %H:%M:%S
  2. In a props.conf file, make the lookup automatic: 
    [dhcp]
LOOKUP-table = dhcpLookup ip mac OUTPUT user


  3. Restart Splunk Enterprise.
Retrieved from "https://docs.splunk.com/index.php?title=Documentation:Splunk:Knowledge:Configureatime-boundedlookup:5.0beta&oldid=1021848"
PREVIOUS
Add field matching rules to your lookup configuration 		  NEXT
Make your lookup automatic

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters