Splunk lookups

Posted byLaszlo Pinter Leave a comment on Splunk lookups

Lookups provide readable information to users, so they don’t have to understand the returned codes in the reports.

Lookups are defined for a specific app, and not accessible from other apps.

Lookup options

Lookup code, description (input, output) values can be defined in multiple ways

  1. Comma delimited text file (csv),
  2. Search results saved as lookup table,
  3. External script or command,
  4. Splunk DB Connect application,
  5. Geospatial lookups,
  6. KV Store collection.

Create a lookup data .csv file

Save the lookup values in a “.csv” file on your workstation, with comma separated input and output values:

code,description
1,Success
2,Failure
3,Error …

To import a lookup table

Upload the data to the Splunk server

  1. In the Settings menu select Lookups,

  2. In the Lookup table files row click Add new,
  3. Select the Destination app where the lookup table will be available,
  4. Browse to the data file on your workstation,
  5. Enter the Destination filename for the uploaded file on the Splunk server,
  6. Click Save to upload the file to the Splunk server.

Import the data to the Splunk server

  1. In the Settings menu select Lookups again,
  2. Click Lookup definitions,
  3. Make sure the correct App context is selected in the drop-down, and click New,
  4. Make sure the correct Destination app and Lookup file are selected. Enter a name for the lookup definition, and keep File-based selected,
  5. Click Save.

Verify the imported lookup table

  1. Click the Splunk icon in the upper left corner to return to the home page,
  2. Click Search & Reporting,
  3. In the New Search field enter the following command with the “Name” you have entered on the Lookup definitions page to see the table of lookup values. 
    | inputlookup MY_LOOKUP_NAME

Using lookup

Pipe the data into the lookup command to convert code to description

sourcetype=... | lookup products_lookup productId as productId OUTPUT product_name as ProductName

Pipe the result forward to the stats command for further processing

sourcetype=... | lookup products_lookup productId as productId OUTPUT product_name as ProductName | stats count by ProductName

Automatic lookup definition

If you want the lookup automatically appear in reports, create an automatic lookup definition.

  1. In the Settings menu select Lookups,
  2. Click Automatic lookups,

    1. Select the App context, and click New,
    2. Make sure the correct Destination app is selected where the lookup will be accessible,
    3. Create a name,
    4. Select the lookup table from the dropdown,
    5. In the Apply to section select the data type to use the lookup table for,
    6. In the Lookup input fields section enter the name of the code column in the lookup table and the code field name in the report.
    7. In the Lookup output fields section specify the display values.You can specify multiple fields using the Add another field link.
    8. If you want to overwrite existing field values, check the Overwrite field values checkbox.
    9. Click Save to save the lookup.

 

Leave a comment

Your email address will not be published. Required fields are marked *