Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Download topic as PDF

Lookup example in Splunk Web

This example defines a file-based CSV lookup that adds two fields, status_description and status_type, to your web access events. This lets you search for events when you do not know the specific error code. Instead of searching for all server error codes, use status="Server Error".

Upload the lookup file to Splunk Enterprise

Prerequisities


There are three columns in the file: status, status_description, and status_type. The following is a sample of the file:

status,status_description,status_type
100,Continue,Informational
101,Switching Protocols,Informational
200,OK,Successful
201,Created,Successful
202,Accepted,Successful
203,Non-Authoritative Information,Successful
...

Steps

  1. From the Search app, then select Settings > Lookups.
  2. Select Add new for Lookup table files.
  3. Select search for the destination app.
  4. Browse for the CSV file that you downloaded earlier.
  5. Name the lookup table http_status.
  6. Click Save.
  7. Upload http status 4.2 b.png

    After Splunk Enterprise saves the file, it takes you to the following view:

    Upload lookup table file b.png

Define the lookup

Prerequisites

Steps

  1. From Settings > Lookups, select Add new for Lookup definitions.
  2. Select search for the Destination app.
  3. Name your lookup definition http_status.
  4. Select File-based under Type.
  5. Click Save.
    Lookup def saved-b.png
    Notice that there are some actions you can take on your lookup definition. Permissions lets you change who can access the lookup table. You can Disable, Clone, and Move the lookup definition to a different app. Or, you can Delete the lookup definition. After you create the lookup definition, you can use the lookup command to invoke the lookup in a search or you can configure the lookup to run automatically.

Set the lookup to run automatically

Prerequisites

Steps

  1. Return to the Settings > Lookups view and select Add new for Automatic lookups.
  2. In the Add new page:
    Add new automatic lookup b.png
  3. Select search for the Destination app.
  4. Name the lookup http_status.
  5. Select http_status from the Lookup table drop down.
  6. Apply the lookup to the sourcetype named access_combined.
    Apply lookup to field b.png
  7. Lookup input fields are the fields in our events that you want to match with the lookup table. Here, both are named status (the CSV column name goes on the left and the field that you want to match goes on the right): Lookup input fields b.png
  8. Lookup output fields are the fields from the lookup table that you want to add to your events: status_description and status_type. The CSV column name goes on the left and the field that you want to match goes on the right. Lookup output fields b.png
  9. Click Save.
PREVIOUS
Define an automatic lookup in Splunk Web
  NEXT
Introduction to lookup configuration

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters