Use lookup to add fields from lookup tables
You can match fields in your events to fields in external sources, such as lookup tables, and use these matches to add more information inline to your events.
A lookup table can be a static CSV file, a KV store collection, or the output of a Python script. You can also use the results of a search to populate the CSV file or KV store collection and then set that up as a lookup table. For more information about field lookups, see "Configure CSV and external lookups" and "Configure KV store lookups" in the Knowledge Manager Manual.
After you configure a fields lookup, you can invoke it from the Search app with the
Example: Given a field lookup named
dnslookup, referencing a Python script that performs a DNS and reverse DNS lookup and accepts either a host name or IP address as arguments -- you can use the lookup command to match the host name values in your events to the host name values in the table, and then add the corresponding IP address values to your events.
... | lookup dnslookup host OUTPUT ip
For a more extensive example using the Splunk script
external_lookup.py, see "Reverse DNS Lookups for Host Entries" in the Splunk blogs.
Use the eval command and functions
Extract fields with search commands
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3