Define a time-based lookup in Splunk Web
If your lookup table has a field that represents time, you can use it to create a time-bounded lookup; which is also referred to as a temporal lookup. You can define CSV lookups, external lookups, and KV Store lookups as time-based lookups, but you cannot define a geospatial lookup as a time-based lookup.
Review the following topics:
- Lookups and the search-time operations sequence for field lookup restrictions
- Define a CSV lookup in Splunk Web
- Define an external lookup in Splunk Web
- Define a KV Store lookup in Splunk Web
Create a time-based lookup
- Select Settings > Lookups.
- Click Lookup definitions.
- Click the lookup that you want to define as a time-based lookup.
- Click the Configure time-based lookup checkbox.
- Enter the name of the field in the lookup table that represents the timestamp.
- Enter the time format of the timestamp field. The default format is UTC time.
- Enter the minimum time in seconds that the event time can be ahead of the lookup entry time for a match to occur. The default is 0.
- Enter the maximum time in seconds that the event time can be ahead of lookup entry time for a match to occur. The default is 2000000000.
- Click Save.
The Lookup definition page appears, and the lookup that you defined is listed.
Define a geospatial lookup in Splunk Web
Define an automatic lookup in Splunk Web
This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12