Splunk Search

Configure a time-based lookup for more than one field

boris
Path Finder

In a lookup file, how can I configure more than one time-based fields (ex. start_date, update_date, expire_date)?

Within this doc for configuring field lookups it appears to say that only one field in a lookup file can have a time searchable format:

"
Configure a time-based lookup

File-based and external lookups can also be time-based (or temporal), if the field matching depends on time information (a field in the lookup table that represents the timestamp).
To Configure a time-based lookup, specify the Name of the time field.

"

Tags (1)

jrodman
Splunk Employee
Splunk Employee

You are correct. That functionality isn't available, but with the model provided it wouldn't really help you.

Time based lookups effectively create blocks of time between each time-key in the table. Basically for any particular time that we wish to lookup in the table, we find the expressed window of time (from the time key field) that matches the lookup time, and find the entry at the leading edge of the window.

You could certainly look up multiple fields against one time window set individually by multiple lookup passes, if the desired enrichments by field are the same values by time window, or if you can simply acquire different target values out of the lookup by your choice of lookup use expression. However there is only one time key that will will lookup at once.

If it were to express multiple time columns in one lookup file, you would still have to do the manual work to compute the intersections of all the possible valid time-point transitions in order to contruct the set of valid windows. So it wouldn't really save you much over just having three lookups once for each type of date, that you use to acquire any fields relevant to those times, and then use the outputs to lookup any values that are dependent upon the combination in another table.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...