Create and manage lookups in Splunk Enterprise Security
Splunk Enterprise Security provides lookups to manage asset and identity correlation with events, match threat indicators with events, and enrich dashboards and panels with information.
As an administrator, you can add lookups to Splunk Enterprise Security. After you add lookups to Splunk Enterprise Security, you can use the lookups in searches, edit them, add descriptions, and export them.
Add a lookup to Splunk Enterprise Security
Upload and create a lookup in Splunk Enterprise Security.
- Select Configure > Content > Content Management.
- Click Create New Content > Managed Lookup.
- Click Create New.
- Select a lookup file to upload.
- (Optional) Change the default App for the file.
- (Optional) Modify the file name.
- (Optional) Modify the definition name.
- (Optional) Change the default lookup type.
- Type a label for the lookup. The label appears as the name for the lookup on the Content Management page.
- Type a description for the lookup.
- (Optional) Change the option to allow editing of the lookup file.
- Click Save.
Add an existing lookup to Splunk Enterprise Security
If the lookup file and definition already exists in the Splunk platform, you can add it to Splunk Enterprise Security so that you can edit it.
- Select Configure > Content > Content Management.
- Click Create New Content > Managed Lookup.
- Click Select Existing.
- Select the lookup definition from the drop-down list.
- (Optional) Modify the lookup type.
- Type a label for the lookup. The label appears as the name for the lookup on the Content Management page.
- Type a description for the lookup.
- (Optional) Change the option to allow editing of the lookup file.
- Click Save.
Verify that you added a lookup successfully
Confirm that you added a lookup file successfully by using the inputlookup
search command to display the list. For example, to review the application protocols lookup:
| inputlookup append=T application_protocol_lookup
Edit a lookup in Splunk Enterprise Security
Only users with appropriate permissions can edit lookups. See Manage permissions in Splunk Enterprise Security. Lookups do not accept regular expressions, and the lookup editor does not validate the accuracy of your entries. You cannot save a lookup file with empty header fields.
Stop managing a lookup
You can stop managing a lookup on the Content Management page by clicking Stop managing. When you stop managing a lookup, you can no longer edit the lookup from Splunk Web but the lookup is not deleted.
Export a lookup in Splunk Enterprise Security
- On Content Management, locate the lookup that you want to export.
- Under the Actions column, click Export to export a copy of the file in CSV format.
You can export multiple lookup files and other knowledge objects as part of an app. See Export content from Splunk Enterprise Security as an app in Administer Splunk Enterprise Security.
Audit changes made to lookup files
To review the last time a lookup file was edited and by whom, use a search. For example:
index=_internal uri_path="/splunk-es/en-US/app/SplunkEnterpriseSecuritySuite/ess_lookups_edit"
Export content from Splunk Enterprise Security as an app | Manage internal lookups in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2
Feedback submitted, thanks!