A temporal lookup is used to enrich events based on when the event happened. To accomplish this, we specify the beginning of a time range in the lookup source and then specify a format for this time in our lookup configuration. Using this mechanism, lookup values can change over time, even retroactively.
Here is a very simple example to attach a version field based on time. Say we have the following CSV file:
sourcetype,version,time impl_splunk_gen,1.0,2012-09-19 02:56:30 UTC impl_splunk_gen,1.1,2012-09-22 12:01:45 UTC impl_splunk_gen,1.2,2012-09-23 18:12:12 UTC
We then use the lookup configuration in transforms.conf to specify which field in our lookup will be tested against the time in each event and what the format of the time field will be:
[versions] filename = versions.csv time_field = time time_format = %Y-%m-%d %H:%M:%S %Z
With this in place, we can now use our lookup in search, as shown here:
sourcetype=impl_splunk_gen error | lookup versions sourcetype | timechart count by version
This would give us a chart of errors (by version) over time, as shown here:
Other use cases include tracking deployments across environments and tracking activity from disabled accounts.