Splunk Search

How is the maximum offset used in my time-based lookup search?



I've created time-based lookup definition which I want to use in my search. The example.csv has a time field "timestamp" and the maximum offset is 1800.

 | lookup example.csv key OUTPUT flag

How is the maximum offset used here? In the results, every event is flagged, not only the events during the maximum offset.



Tags (3)
0 Karma

Splunk Employee
Splunk Employee

In order for the lookup to be time-based, it must also include a "time_field" value within the transforms.conf definition. Given your description of the behavior, it sounds like you're not triggering a time-based lookup, or the time-stamp is not within the format specified in your time_format option within transforms.conf. If this setting is not provided, Splunk assumes that the time field is in epoch time.

0 Karma


Hi Heinz,

There is no row or column limitation on lookup table. default size is 10MB.

Refer the post Link


0 Karma
Get Updates on the Splunk Community!

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Tips & Tricks When Using Ingest Actions

Tune in to learn about:Large scale architecture when using Ingest ActionsRegEx performance considerations ...