Splunk Search

Configure a time-based lookup for more than one field

boris
Path Finder

In a lookup file, how can I configure more than one time-based fields (ex. start_date, update_date, expire_date)?

Within this doc for configuring field lookups it appears to say that only one field in a lookup file can have a time searchable format:

"
Configure a time-based lookup

File-based and external lookups can also be time-based (or temporal), if the field matching depends on time information (a field in the lookup table that represents the timestamp).
To Configure a time-based lookup, specify the Name of the time field.

"

Tags (1)

jrodman
Splunk Employee
Splunk Employee

You are correct. That functionality isn't available, but with the model provided it wouldn't really help you.

Time based lookups effectively create blocks of time between each time-key in the table. Basically for any particular time that we wish to lookup in the table, we find the expressed window of time (from the time key field) that matches the lookup time, and find the entry at the leading edge of the window.

You could certainly look up multiple fields against one time window set individually by multiple lookup passes, if the desired enrichments by field are the same values by time window, or if you can simply acquire different target values out of the lookup by your choice of lookup use expression. However there is only one time key that will will lookup at once.

If it were to express multiple time columns in one lookup file, you would still have to do the manual work to compute the intersections of all the possible valid time-point transitions in order to contruct the set of valid windows. So it wouldn't really save you much over just having three lookups once for each type of date, that you use to acquire any fields relevant to those times, and then use the outputs to lookup any values that are dependent upon the combination in another table.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...