Splunk Cloud

Knowledge Manager Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Define a time-based lookup in Splunk Web

If your lookup table has a field that represents time, you can use it to create a time-bounded lookup; which is also referred to as a temporal lookup. You can define CSV lookups, external lookups, and KV Store lookups as time-based lookups, but you cannot define a geospatial lookup as a time-based lookup.

Prerequisites
Review the following topics:

Create a time-based lookup

  1. Select Settings > Lookups.
  2. Click Lookup definitions.
  3. Click the lookup that you want to define as a time-based lookup.
  4. Click the Configure time-based lookup checkbox.
  5. Enter the name of the field in the lookup table that represents the timestamp.
  6. Enter the time format of the timestamp field. The default format is UTC time.
  7. Enter the minimum time in seconds that the event time can be ahead of the lookup entry time for a match to occur. The default is 0.
  8. Enter the maximum time in seconds that the event time can be ahead of lookup entry time for a match to occur. The default is 2000000000.
  9. Click Save.

The Lookup definition page appears, and the lookup that you defined is listed.

Last modified on 18 June, 2020
PREVIOUS
Define a geospatial lookup in Splunk Web 		  NEXT
Define an automatic lookup in Splunk Web

This documentation applies to the following versions of Splunk Cloud: 7.0.13, 8.1.2103, 8.1.2008, 8.1.2011, 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 8.0.2006, 8.0.2007, 8.1.2009, 8.1.2012 (latest FedRAMP release), 8.1.2101

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters