Splunk Search

How to invoke a temporal lookup at a search-time?

iKate
Builder

Hi there,

I've got temporal lookup that is defined in transforms.conf as:

[lookup_time]
filename = lookup_time.csv
max_matches = 1
time_field = start_time

csv file lookup_time.csv has a structure like this:

user_uid,type,start_time,start_month
13482832,WEB,1313096400,2011.08
13482832,MIX,1418331600,2014.12

Invoking it at a search time like source=source1 | loookup lookup_time user_uid OUTPUT doesn't work correctly and I get both types for this user_uid at every moment of time.

But it works when making this lookup automatically invoked with this source by putting a notion about it in props.conf,

[source::source1]
 LOOKUP-lookup_time = lookup_time user_uid OUTPUT

and restarting config with | extract reload=T

But we don't need this lookup to run every time we address to source1, in order not to make search time longer as a lookup is heavy.

So can I use temporal lookup at a search time? In lookups description there's no limitations about automatical or manual invoking of temporal lookup:
Or am I doing mistake somewhere?
Thanks in advance!


Edit existing lookup definitions or define a new file-based or external lookup

Use the Settings > Lookups > Lookup definitions page to define the lookup table or edit existing lookup definitions. You can specify the type of lookup (file-based or external) and whether or not it is time-based. Once you've defined the lookup table, you can invoke the lookup in a search (using the lookup command) or you can configure the lookup to occur automatically.


peterchenadded
Path Finder

It should work in both cases.

Can you try adding

time_format = %s

Otherwise check your permissions on the lookup and set to global to see if it helps.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...