Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Download topic as PDF

Introduction to lookup configuration

Lookups add fields from an external source to your events based on the values of fields that are already present in those events. A simple lookup example would be a lookup that works with a CSV file that combines the possible HTTP status values (303, 404, 201, and so on) with their definitions. If you have an event that includes an HTTP status value, the lookup could add the HTTP status description to the event.

You can also use lookups to perform this action in reverse, so that they add fields from your events to rows in a lookup table.

You can configure different types of lookups. Lookups are differentiated in two ways: by data source and by information type.

For more information on dataset types, see Dataset types and usage.

Lookup type Data source Description
CSV lookup A CSV file Populates your events with fields pulled from CSV files. Also referred to as a "static lookup" because CSV files represent static tables of data. Each column in a CSV table is interpreted as the potential values of a field.


CSV inline lookup table files and inline lookup definitions that use CSV files are both dataset types.

External lookup An external source, such as a DNS server. Uses Python scripts or binary executables to populate your events with field values from an external source. Also referred to as a "scripted lookup."


Not a dataset type.

KV Store lookup A KV Store collection Matches fields in your events to fields in a KV Store collection and outputs corresponding fields in that collection to your events.


Not a dataset type.

Geospatial lookup A KMZ (compressed keyhole markup language) file, used to define boundaries of mapped regions such as countries, US states, and US counties. You use a geospatial lookup to create a query that Splunk software uses to configure a choropleth map. A geospatial lookup matches location coordinates in your events to geographic feature collections in a KMZ (Keyhole Markup Language) file and outputs fields to your events that provide corresponding geographic feature information encoded in the KMZ, like country, state, or county names.


Not a dataset type

PREVIOUS
Lookup example in Splunk Web
  NEXT
Configure CSV lookups

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters