Hi @YuriSpirin, When we define our lookup with time_format = %s, the time field in our collection should have type number: # collections.conf
[dhcp_timebased_lookup]
enforceTypes = true
field.time = number
field.ip = string
field.hostname = string
field.mac = string
# transforms.conf
[dhcp_timebased_lookup]
collection = dhcp_timebased_lookup
external_type = kvstore
fields_list = time,ip,hostname,mac
max_offset_secs = 691200
min_offset_secs = 0
time_field = time
time_format = %s We can populate the lookup with test data: | makeresults format=csv data="time,ip,hostname,mac
1709251200,1.2.3.4,host-43,aa:bb:cc:dd:ee:ff
1709164800,1.2.3.4,host-42,aa:bb:cc:dd:ee:fe
1709078400,1.2.3.4,host-41,aa:bb:cc:dd:ee:fd"
| outputlookup dhcp_timebased_lookup and validate it with an additional test: | makeresults format=csv data="_time,dest_ip
1709208000,1.2.3.4"
| lookup dhcp_timebased_lookup ip as dest_ip output hostname _time dest_ip hostname
2024-02-29 07:00:00 1.2.3.4 host-42 We can also experiment with accelerated fields to improve performance, although we may not see the performance returns we expect: [dhcp_timebased_lookup]
enforceTypes = true
field.time = number
field.ip = string
field.hostname = string
field.mac = string
accelerated_fields.ip = {"time": -1, "ip": 1} Compare with a similar file-based lookup with a size less than or equal to the configured max_memtable_bytes limit: # limits.conf
[lookup]
# default 25 MB; increase max_memtable_bytes to a value greater than our
# largest lookup file, assuming we have adequate phyiscal memory available
max_memtable_bytes = 26214400
... View more