Documentation > Splunk > Application Management > Use a lookup

Application Management

 


Application Management with Splunk
Index Data
Application Management Use Cases
Walkthrough: Index Data
Walkthrough: Troubleshoot using ID and Time
Walkthrough: Group Events into Transactions
Walkthrough: Monitor Transaction Performance
Walkthrough: Create a Business Dashboard

Use a lookup

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Use a lookup

Using a lookup is transparent. You can use the created field just like any other field.

Use a lookup from the search bar

activity now appears as a field in your results and you can search on it, display it in results, and do everything you can do with any other field.

1. To search only for events that include the ModifyAccount activity, run the following search:

AppManageModifyAccountLookup.png

2. You can also select the activity field in the field menu by clicking on the histogram and then clicking Select/show in results:

AppManagePickActivityField.png

3. Click on the event table icon to change the view:

AppManageEventTableIcon.png

4. Run a search to see a table of all activities by name:

index="test" activity=*

AppManageActivityEventTable.png

Use a lookup in a saved search

Now use your generated activity field in a report. The Monitor transaction performance walkthrough showed a report, Average Duration by Activity Code. The report contained the following search:

eventtype="CONTENT_EVENTS" | transaction accountNumber subscriberID maxspan=1m maxpause=30s | timechart span=1m avg(duration) by activityCode

You want to reuse that report, but you want to modify it to show the activity by name, not just by code. You also want to set this search to run every 5 minutes, so that you can display it in a dashboard later. You can edit the search or make a copy of it and edit the copy. To edit a copy of a saved search:

1. From the Search app in Splunk Web, navigate to Manager.

2. Click Searches and Reports.

3. Locate Average Duration by Activity Code and click Clone.

4. Enter Average Duration by Activity for the Name.

5. Change the search to:

eventtype="CONTENT_EVENTS" | transaction accountNumber subscriberID maxspan=1m maxpause=30s | timechart avg(duration) by activity

6. Change the Start time to -5m and make sure the Finish time is set to -20m. Again, this gives time for the events to be finalized in the index before you run the search.

7. For this search, Schedule this search is already selected. Select Basic for the schedule type and select Every 5 minutes.

8. You do not need an alert for this search, so reset Alert Conditions to choose.

9. Click Save.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.1.4/AppManagement/Usealookup"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!