Define a time-based lookup in Splunk Web
If your lookup table has a field that represents time, you can use it to create a time-bounded lookup; which is also referred to as a temporal lookup. You can define CSV lookups, external lookups, and KV Store lookups as time-based lookups, but you cannot define a geospatial lookup as a time-based lookup.
Review the following topics:
- Lookups and the search-time operations sequence for field lookup restrictions
- Define a CSV lookup in Splunk Web
- Define an external lookup in Splunk Web
- Define a KV Store lookup in Splunk Web
Create a time-based lookup
- Select Settings > Lookups.
- Click Lookup definitions.
- Click the lookup that you want to define as a time-based lookup.
- Click the Configure time-based lookup checkbox.
- Enter the name of the field in the lookup table that represents the timestamp.
- Enter the time format of the timestamp field. The default format is UTC time.
- Enter the minimum time in seconds that the event time can be ahead of the lookup entry time for a match to occur. The default is 0.
- Enter the maximum time in seconds that the event time can be ahead of lookup entry time for a match to occur. The default is 2000000000.
- Click Save.
The Lookup definition page appears, and the lookup that you defined is listed.
Define a geospatial lookup in Splunk Web
Define an automatic lookup in Splunk Web
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.3.0