Define a time-based lookup in Splunk Web
If your lookup table has a field that represents time, you can use it to create a time-bound lookup; which is also referred to as a temporal lookup. You can define CSV lookups, external lookups, and KV Store lookups as time-based lookups, but you cannot define a geospatial lookup as a time-based lookup.
Prerequisites
Review the following topics:
- Lookups and the search-time operations sequence for field lookup restrictions
- Define a CSV lookup in Splunk Web
- Define an external lookup in Splunk Web
- Define a KV Store lookup in Splunk Web
Create a time-based lookup
- Select Settings > Lookups.
- Click Lookup definitions.
- Click the lookup that you want to define as a time-based lookup.
- Click the Configure time-based lookup checkbox.
- Enter the name of the field in the lookup table that represents the timestamp.
- Enter the time format of the timestamp field. The default format is UTC time.
- Enter the minimum time in seconds that the event time can be ahead of the lookup entry time for a match to occur. The default is 0.
- Enter the maximum time in seconds that the event time can be ahead of lookup entry time for a match to occur. The default is 2000000000.
- Click Save.
The Lookup definition page appears, and the lookup that you defined is listed.
Last modified on 11 November, 2021
| Define a geospatial lookup in Splunk Web | Define an automatic lookup in Splunk Web |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.3.2411 (latest FedRAMP release), 8.2.2112, 8.2.2201, 8.2.2203, 8.2.2202, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406, 9.3.2408
Download manual
Feedback submitted, thanks!