Splunk Search

Configure a time-based lookup for more than one field

boris
Path Finder

In a lookup file, how can I configure more than one time-based fields (ex. start_date, update_date, expire_date)?

Within this doc for configuring field lookups it appears to say that only one field in a lookup file can have a time searchable format:

"
Configure a time-based lookup

File-based and external lookups can also be time-based (or temporal), if the field matching depends on time information (a field in the lookup table that represents the timestamp).
To Configure a time-based lookup, specify the Name of the time field.

"

Tags (1)

jrodman
Splunk Employee
Splunk Employee

You are correct. That functionality isn't available, but with the model provided it wouldn't really help you.

Time based lookups effectively create blocks of time between each time-key in the table. Basically for any particular time that we wish to lookup in the table, we find the expressed window of time (from the time key field) that matches the lookup time, and find the entry at the leading edge of the window.

You could certainly look up multiple fields against one time window set individually by multiple lookup passes, if the desired enrichments by field are the same values by time window, or if you can simply acquire different target values out of the lookup by your choice of lookup use expression. However there is only one time key that will will lookup at once.

If it were to express multiple time columns in one lookup file, you would still have to do the manual work to compute the intersections of all the possible valid time-point transitions in order to contruct the set of valid windows. So it wouldn't really save you much over just having three lookups once for each type of date, that you use to acquire any fields relevant to those times, and then use the outputs to lookup any values that are dependent upon the combination in another table.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...