Splunk Search

Configure a time-based lookup for more than one field

boris
Path Finder

In a lookup file, how can I configure more than one time-based fields (ex. start_date, update_date, expire_date)?

Within this doc for configuring field lookups it appears to say that only one field in a lookup file can have a time searchable format:

"
Configure a time-based lookup

File-based and external lookups can also be time-based (or temporal), if the field matching depends on time information (a field in the lookup table that represents the timestamp).
To Configure a time-based lookup, specify the Name of the time field.

"

Tags (1)

jrodman
Splunk Employee
Splunk Employee

You are correct. That functionality isn't available, but with the model provided it wouldn't really help you.

Time based lookups effectively create blocks of time between each time-key in the table. Basically for any particular time that we wish to lookup in the table, we find the expressed window of time (from the time key field) that matches the lookup time, and find the entry at the leading edge of the window.

You could certainly look up multiple fields against one time window set individually by multiple lookup passes, if the desired enrichments by field are the same values by time window, or if you can simply acquire different target values out of the lookup by your choice of lookup use expression. However there is only one time key that will will lookup at once.

If it were to express multiple time columns in one lookup file, you would still have to do the manual work to compute the intersections of all the possible valid time-point transitions in order to contruct the set of valid windows. So it wouldn't really save you much over just having three lookups once for each type of date, that you use to acquire any fields relevant to those times, and then use the outputs to lookup any values that are dependent upon the combination in another table.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...