Splunk® Enterprise Security

Administer Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Create and manage lookups in Splunk Enterprise Security

Splunk Enterprise Security provides lookups to manage asset and identity correlation with events, match threat indicators with events, and enrich dashboards and panels with information.

Users with appropriate role permissions can add lookups to Splunk Enterprise Security. After you add lookups to Splunk Enterprise Security, you can use the lookups in searches, edit the lookups, add descriptions to the lookups, and export the lookups.

New managed lookups are stored in /etc/apps/<app_name>/lookups/new_lookup.csv (at the application level) instead of being stored in /etc/users/<owner>/<app_name>/lookups/new_lookup.csv (at the user level), which lets you to edit the lookups that you create.

Add a lookup to Splunk Enterprise Security

Upload and create a lookup in Splunk Enterprise Security.

  1. Select Configure > Content > Content Management.
  2. Click Create New Content > Managed Lookup.
  3. Click Create New.
  4. Select a lookup file to upload.
  5. (Optional) Change the default App for the file.
  6. (Optional) Modify the file name.
  7. (Optional) Modify the definition name.
  8. (Optional) Change the default lookup type.
  9. Type a label for the lookup. The label appears as the name for the lookup on the Content Management page.
  10. Type a description for the lookup.
  11. (Optional) Change the option to allow editing of the lookup file.
  12. Click Save.

Add an existing lookup to Splunk Enterprise Security

If the lookup file and definition already exists in the Splunk platform, you can add it to Splunk Enterprise Security so that you can edit it.

  1. Select Configure > Content > Content Management.
  2. Click Create New Content > Managed Lookup.
  3. Click Select Existing.
  4. Select the lookup definition from the drop-down list.
  5. (Optional) Modify the lookup type.
  6. Type a label for the lookup. The label appears as the name for the lookup on the Content Management page.
  7. Type a description for the lookup.
  8. (Optional) Change the option to allow editing of the lookup file.
  9. Click Save.

Verify that you added a lookup successfully

Confirm that you added a lookup file successfully by using the inputlookup search command to display the list. For example, to review the application protocols lookup:

| inputlookup append=T application_protocol_lookup

Edit a lookup in Splunk Enterprise Security

Only users with appropriate permissions can edit lookups. See Manage permissions in Splunk Enterprise Security. Lookups do not accept regular expressions, and the lookup editor does not validate the accuracy of your entries. You cannot save a lookup file with empty header fields.

Stop managing a lookup

You can stop managing a lookup on the Content Management page by clicking Stop managing. When you stop managing a lookup, you can no longer edit the lookup from Splunk Web but the lookup is not deleted.

Export a lookup in Splunk Enterprise Security

  1. On Content Management, locate the lookup that you want to export.
  2. Under the Actions column, click Export to export a copy of the file in CSV format.

You can export multiple lookup files and other knowledge objects as part of an app. See Export content from Splunk Enterprise Security as an app in Administer Splunk Enterprise Security.

Audit changes made to lookup files

To review the last time a lookup file was edited and by whom, use a search. For example:

index=_internal uri_path="/splunk-es/en-US/app/SplunkEnterpriseSecuritySuite/ess_lookups_edit"

Last modified on 11 August, 2023
Export content from Splunk Enterprise Security as an app   Manage internal lookups in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters