Splunk Search

How to invoke a temporal lookup at a search-time?


Hi there,

I've got temporal lookup that is defined in transforms.conf as:

filename = lookup_time.csv
max_matches = 1
time_field = start_time

csv file lookup_time.csv has a structure like this:


Invoking it at a search time like source=source1 | loookup lookup_time user_uid OUTPUT doesn't work correctly and I get both types for this user_uid at every moment of time.

But it works when making this lookup automatically invoked with this source by putting a notion about it in props.conf,

 LOOKUP-lookup_time = lookup_time user_uid OUTPUT

and restarting config with | extract reload=T

But we don't need this lookup to run every time we address to source1, in order not to make search time longer as a lookup is heavy.

So can I use temporal lookup at a search time? In lookups description there's no limitations about automatical or manual invoking of temporal lookup:
Or am I doing mistake somewhere?
Thanks in advance!

Edit existing lookup definitions or define a new file-based or external lookup

Use the Settings > Lookups > Lookup definitions page to define the lookup table or edit existing lookup definitions. You can specify the type of lookup (file-based or external) and whether or not it is time-based. Once you've defined the lookup table, you can invoke the lookup in a search (using the lookup command) or you can configure the lookup to occur automatically.

Path Finder

It should work in both cases.

Can you try adding

time_format = %s

Otherwise check your permissions on the lookup and set to global to see if it helps.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!