Define a time-based lookup in Splunk Web
If your lookup table has a field that represents time, you can use it to create a time-bounded lookup; which is also referred to as a temporal lookup. You can define CSV lookups, external lookups, and KV Store lookups as time-based lookups, but you cannot define a geospatial lookup as a time-based lookup.
Review the following topics:
- Lookups and the search-time operations sequence for field lookup restrictions
- Define a CSV lookup in Splunk Web
- Define an external lookup in Splunk Web
- Define a KV Store lookup in Splunk Web
Create a time-based lookup
- Select Settings > Lookups.
- Click Lookup definitions.
- Click the lookup that you want to define as a time-based lookup.
- Click the Configure time-based lookup checkbox.
- Enter the name of the field in the lookup table that represents the timestamp.
- Enter the time format of the timestamp field. The default format is UTC time.
- Enter the minimum time in seconds that the event time can be ahead of the lookup entry time for a match to occur. The default is 0.
- Enter the maximum time in seconds that the event time can be ahead of lookup entry time for a match to occur. The default is 2000000000.
- Click Save.
The Lookup definition page appears, and the lookup that you defined is listed.
Define a geospatial lookup in Splunk Web
Define an automatic lookup in Splunk Web
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2109, 8.1.2011, 8.0.2006, 8.0.2007, 8.1.2009, 8.1.2012, 8.1.2101, 8.1.2103, 8.2.2104, 8.2.2105 (latest FedRAMP release), 8.2.2106, 8.2.2107