If your lookup table has a field that represents time, you can use it to create a time-bound lookup; which is also referred to as a temporal lookup. You can define CSV lookups, external lookups, and KV Store lookups as time-based lookups, but you cannot define a geospatial lookup as a time-based lookup.

Prerequisites

• Lookups and the search-time operations sequence for field lookup restrictions
• Define a CSV lookup in Splunk Web
• Define an external lookup in Splunk Web
• Define a KV Store lookup in Splunk Web

Create a time-based lookup

1. Select Settings > Lookups.
2. Click Lookup definitions.
3. Click the lookup that you want to define as a time-based lookup.
4. Click the Configure time-based lookup checkbox.
5. Enter the name of the field in the lookup table that represents the timestamp.
6. Enter the time format of the timestamp field. The default format is UTC time.
7. Enter the minimum time in seconds that the event time can be ahead of the lookup entry time for a match to occur. The default is 0.
8. Enter the maximum time in seconds that the event time can be ahead of lookup entry time for a match to occur. The default is 2000000000.
9. Click Save.

The Lookup definition page appears, and the lookup that you defined is listed.