https://community.splunk.com/t5/Splunk-Search/How-to-invoke-a-temporal-lookup-at-a-search-time/m-p/150254#M42092 <P>Hi there,</P> <P>I've got temporal lookup that is defined in transforms.conf as: </P> <PRE><CODE>[lookup_time] filename = lookup_time.csv max_matches = 1 time_field = start_time </CODE></PRE> <P>csv file lookup_time.csv has a structure like this:</P> <PRE><CODE>user_uid,type,start_time,start_month 13482832,WEB,1313096400,2011.08 13482832,MIX,1418331600,2014.12 </CODE></PRE> <P>Invoking it at a search time like <CODE>source=source1 | loookup lookup_time user_uid OUTPUT</CODE> doesn't work correctly and I get both types for this user_uid at every moment of time. </P> <P>But it works when making this lookup automatically invoked with this source by putting a notion about it in props.conf,</P> <PRE><CODE>[source::source1] LOOKUP-lookup_time = lookup_time user_uid OUTPUT </CODE></PRE> <P>and restarting config with <CODE>| extract reload=T</CODE></P> <P>But we don't need this lookup to run every time we address to source1, in order not to make search time longer as a lookup is heavy.</P> <P>So can I use temporal lookup at a search time? In lookups description there's no limitations about automatical or manual invoking of temporal lookup:<BR /> Or am I doing mistake somewhere? <BR /> Thanks in advance!</P> <HR /> <P><STRONG><A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Usefieldlookupstoaddinformationtoyourevents">Edit existing lookup definitions or define a new file-based or external lookup</A></STRONG></P> <P>Use the Settings &gt; Lookups &gt; Lookup definitions page to define the lookup table or edit existing lookup definitions. You can specify the type of lookup (file-based or external) and whether or not it is time-based. Once you've defined the lookup table, you can invoke the lookup in a search (using the lookup command) or you can configure the lookup to occur automatically.</P> <HR /> Tue, 24 Feb 2015 15:48:39 GMT iKate 2015-02-24T15:48:39Z https://community.splunk.com/t5/Splunk-Search/How-to-invoke-a-temporal-lookup-at-a-search-time/m-p/150254#M42092 <P>Hi there,</P> <P>I've got temporal lookup that is defined in transforms.conf as: </P> <PRE><CODE>[lookup_time] filename = lookup_time.csv max_matches = 1 time_field = start_time </CODE></PRE> <P>csv file lookup_time.csv has a structure like this:</P> <PRE><CODE>user_uid,type,start_time,start_month 13482832,WEB,1313096400,2011.08 13482832,MIX,1418331600,2014.12 </CODE></PRE> <P>Invoking it at a search time like <CODE>source=source1 | loookup lookup_time user_uid OUTPUT</CODE> doesn't work correctly and I get both types for this user_uid at every moment of time. </P> <P>But it works when making this lookup automatically invoked with this source by putting a notion about it in props.conf,</P> <PRE><CODE>[source::source1] LOOKUP-lookup_time = lookup_time user_uid OUTPUT </CODE></PRE> <P>and restarting config with <CODE>| extract reload=T</CODE></P> <P>But we don't need this lookup to run every time we address to source1, in order not to make search time longer as a lookup is heavy.</P> <P>So can I use temporal lookup at a search time? In lookups description there's no limitations about automatical or manual invoking of temporal lookup:<BR /> Or am I doing mistake somewhere? <BR /> Thanks in advance!</P> <HR /> <P><STRONG><A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Usefieldlookupstoaddinformationtoyourevents">Edit existing lookup definitions or define a new file-based or external lookup</A></STRONG></P> <P>Use the Settings &gt; Lookups &gt; Lookup definitions page to define the lookup table or edit existing lookup definitions. You can specify the type of lookup (file-based or external) and whether or not it is time-based. Once you've defined the lookup table, you can invoke the lookup in a search (using the lookup command) or you can configure the lookup to occur automatically.</P> <HR /> Tue, 24 Feb 2015 15:48:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-invoke-a-temporal-lookup-at-a-search-time/m-p/150254#M42092 iKate 2015-02-24T15:48:39Z https://community.splunk.com/t5/Splunk-Search/How-to-invoke-a-temporal-lookup-at-a-search-time/m-p/150255#M42093 <P>It should work in both cases.</P> <P>Can you try adding</P> <P>time_format = %s</P> <P>Otherwise check your permissions on the lookup and set to global to see if it helps.</P> Thu, 02 Nov 2017 08:38:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-invoke-a-temporal-lookup-at-a-search-time/m-p/150255#M42093 peterchenadded 2017-11-02T08:38:58Z