How to invoke a temporal lookup at a search-time?

iKate · ‎02-24-2015

Hi there,

I've got temporal lookup that is defined in transforms.conf as:

[lookup_time]
filename = lookup_time.csv
max_matches = 1
time_field = start_time

csv file lookup_time.csv has a structure like this:

user_uid,type,start_time,start_month
13482832,WEB,1313096400,2011.08
13482832,MIX,1418331600,2014.12

Invoking it at a search time like source=source1 | loookup lookup_time user_uid OUTPUT doesn't work correctly and I get both types for this user_uid at every moment of time.

But it works when making this lookup automatically invoked with this source by putting a notion about it in props.conf,

[source::source1]
 LOOKUP-lookup_time = lookup_time user_uid OUTPUT

and restarting config with | extract reload=T

But we don't need this lookup to run every time we address to source1, in order not to make search time longer as a lookup is heavy.

So can I use temporal lookup at a search time? In lookups description there's no limitations about automatical or manual invoking of temporal lookup:
Or am I doing mistake somewhere?
Thanks in advance!

Edit existing lookup definitions or define a new file-based or external lookup

Use the Settings > Lookups > Lookup definitions page to define the lookup table or edit existing lookup definitions. You can specify the type of lookup (file-based or external) and whether or not it is time-based. Once you've defined the lookup table, you can invoke the lookup in a search (using the lookup command) or you can configure the lookup to occur automatically.

peterchenadded · ‎11-02-2017

It should work in both cases.

Can you try adding

time_format = %s

Otherwise check your permissions on the lookup and set to global to see if it helps.

How to invoke a temporal lookup at a search-time?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor