https://community.splunk.com/t5/Splunk-Search/How-to-use-time-base-lookup/m-p/149115#M41664 <P>dolivasoh,Thank you for your response.</P> <P>I have tried outputting the field as "index=test | lookup test ip output unit | table _time,unit,ip".</P> <P>However , I don't get "unit" field.</P> Tue, 06 Jan 2015 00:44:15 GMT akanno 2015-01-06T00:44:15Z https://community.splunk.com/t5/Splunk-Search/How-to-use-time-base-lookup/m-p/149111#M41660 <P>Hi,Splunk community.</P> <P>I have a question about time-base-lookup.</P> <P>I set following attribute to transforms.conf</P> <P>[test]<BR /> collection = test<BR /> external_type = kvstore<BR /> fields_list = ip,unit,time<BR /> time_field = time<BR /> time_format = %d/%m/%y/%H</P> <P>and I set following attribute to collections.conf.</P> <P>[test]</P> <P>Result of "| inputlookup test" is following.</P> <P>ip time unit<BR /> 192.168.150.81 09/12/14/18 B部<BR /> 192.168.150.6 09/12/14/18 A部<BR /> 192.168.150.81 09/12/14/17 D部<BR /> 192.168.150.6 09/12/14/17 C部</P> <P>I search by "index=test | lookup test ip".<BR /> However lookup does not work.</P> <P>Why doesn't work?<BR /> Is there a way to solve?</P> Mon, 28 Sep 2020 18:21:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-time-base-lookup/m-p/149111#M41660 akanno 2020-09-28T18:21:30Z https://community.splunk.com/t5/Splunk-Search/How-to-use-time-base-lookup/m-p/149112#M41661 <P>You had it right with "| inputlookup test", just continue your search from there or use the lookup table as enrichment to indexed data. Lookups do no go in the index.</P> Thu, 01 Jan 2015 02:54:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-time-base-lookup/m-p/149112#M41661 dolivasoh 2015-01-01T02:54:36Z https://community.splunk.com/t5/Splunk-Search/How-to-use-time-base-lookup/m-p/149113#M41662 <P>Results when I search in "index=test | table _time,ip" are following.</P> <P>results<BR /> _time ip<BR /> 2014-12-09 18:00:01 192.168.150.81<BR /> 2014-12-09 18:00:01 192.168.150.81<BR /> 2014-12-09 18:00:01 192.168.150.6</P> <P>If lookup correctly works , results when I search "index=test | lookup test ip | table _time,unit,ip" are like following.</P> <P>results<BR /> _time unit ip<BR /> 2014-12-09 18:00:01 B部 192.168.150.81<BR /> 2014-12-09 18:00:01 B部 192.168.150.81<BR /> 2014-12-09 18:00:01 A部 192.168.150.6</P> <P>However , I don't get the above results.<BR /> why can't I get the above result?<BR /> Results I get are following</P> <P>results<BR /> _time unit ip<BR /> 2014-12-09 18:00:01 192.168.150.81<BR /> 2014-12-09 18:00:01 192.168.150.81<BR /> 2014-12-09 18:00:01 192.168.150.6</P> Mon, 05 Jan 2015 02:08:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-time-base-lookup/m-p/149113#M41662 akanno 2015-01-05T02:08:29Z https://community.splunk.com/t5/Splunk-Search/How-to-use-time-base-lookup/m-p/149114#M41663 <P>Try outputting the field you want from the lookup table, lookup {{table_name}} {{input_field}} output {{output_field}}</P> Mon, 28 Sep 2020 18:31:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-time-base-lookup/m-p/149114#M41663 dolivasoh 2020-09-28T18:31:53Z https://community.splunk.com/t5/Splunk-Search/How-to-use-time-base-lookup/m-p/149115#M41664 <P>dolivasoh,Thank you for your response.</P> <P>I have tried outputting the field as "index=test | lookup test ip output unit | table _time,unit,ip".</P> <P>However , I don't get "unit" field.</P> Tue, 06 Jan 2015 00:44:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-time-base-lookup/m-p/149115#M41664 akanno 2015-01-06T00:44:15Z