Splunk Search

Configure a time-based lookup for more than one field

boris
Path Finder

In a lookup file, how can I configure more than one time-based fields (ex. start_date, update_date, expire_date)?

Within this doc for configuring field lookups it appears to say that only one field in a lookup file can have a time searchable format:

"
Configure a time-based lookup

File-based and external lookups can also be time-based (or temporal), if the field matching depends on time information (a field in the lookup table that represents the timestamp).
To Configure a time-based lookup, specify the Name of the time field.

"

Tags (1)

jrodman
Splunk Employee
Splunk Employee

You are correct. That functionality isn't available, but with the model provided it wouldn't really help you.

Time based lookups effectively create blocks of time between each time-key in the table. Basically for any particular time that we wish to lookup in the table, we find the expressed window of time (from the time key field) that matches the lookup time, and find the entry at the leading edge of the window.

You could certainly look up multiple fields against one time window set individually by multiple lookup passes, if the desired enrichments by field are the same values by time window, or if you can simply acquire different target values out of the lookup by your choice of lookup use expression. However there is only one time key that will will lookup at once.

If it were to express multiple time columns in one lookup file, you would still have to do the manual work to compute the intersections of all the possible valid time-point transitions in order to contruct the set of valid windows. So it wouldn't really save you much over just having three lookups once for each type of date, that you use to acquire any fields relevant to those times, and then use the outputs to lookup any values that are dependent upon the combination in another table.

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...