Configure a time-based lookup
If your lookup table has a field that represents time, you can use it to create a time-bounded lookup. This is also referred to as a temporal lookup. You can configure all four lookup types as time-bounded lookups.
To create a time-bounded lookup, add the following lines to your lookup stanza in
time_field = <field_name> time_format = <string>
time_field attribute is present,
max_matches = 1 by default and Splunk software applies the first matching entry in descending order. For more information about
max_matches see "Add field matching rules to your lookup configuration," in this manual.
time_format attribute specifies the strptime() format of the
time_field attribute. The default value for the
time_format attribute is
%s.%Q, where you enter a Unix epoch time value in seconds (%s) and can optionally include milliseconds (%Q).
Note: You can use some nonstandard date-time
strptime() formats. For example, when you define ISO 8601 timestamps (a Unix epoch time value in seconds), you can use
time_format = '%s.%Q', where
%s represents seconds and
%Q represents milliseconds. See the subtopic "Enhanced strptime() support" in "Configure timestamp recognition," in the Getting Data In Manual.
For a match to occur with time-bounded lookups, you can also specify offsets for the minimum and maximum amounts of time that an event may be later than a lookup entry. To do this, add the following lines to your stanza:
max_offset_secs = <integer> min_offset_secs = <integer>
By default there is no maximum offset. The default minimum offset is 0.
Time-based lookup example
Here's an example of a CSV lookup that uses DHCP logs to identify users on a network based on their IP address and the timestamp. The DHCP logs are in a file,
dhcp.csv, which contains the timestamp, IP address, and the user's name and MAC address.
- See about lookups and field actions for more information on lookups.
- See Make your lookup automatic for information on configuring an automatic lookup.
- In a
[dhcpLookup] filename = dhcp.csv time_field = timestamp time_format = %d/%m/%y %H:%M:%S
- In a
props.conffile, make the lookup automatic:
[dhcp] LOOKUP-table = dhcpLookup ip mac OUTPUT user
- Restart Splunk Enterprise.
Add field matching rules to your lookup configuration
Make your lookup automatic
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12