Create and manage lookups in Splunk Enterprise Security
Splunk Enterprise Security provides lookups to manage asset and identity correlation with events, match threat indicators with events, and enrich dashboards and panels with information.
Users with appropriate role permissions can add lookups to Splunk Enterprise Security. After you add lookups to Splunk Enterprise Security, you can use the lookups in searches, edit the lookups, add descriptions to the lookups, and export the lookups.
New managed lookups are stored in /etc/apps/<app_name>/lookups/new_lookup.csv
(at the application level) instead of being stored in /etc/users/<owner>/<app_name>/lookups/new_lookup.csv
(at the user level), which lets you to edit the lookups that you create.
Add a lookup to Splunk Enterprise Security
Upload and create a lookup in Splunk Enterprise Security.
- Select Security content then Content management.
- Select Create New Content then Managed Lookup.
- Select Create New.
- Select a lookup file to upload.
- (Optional) Change the default App for the file.
- (Optional) Modify the file name.
- (Optional) Modify the definition name.
- (Optional) Change the default lookup type.
- Type a label for the lookup. The label appears as the name for the lookup on the Content Management page.
- Type a description for the lookup.
- (Optional) Change the option to allow editing of the lookup file.
- Select Save.
Add an existing lookup to Splunk Enterprise Security
If the lookup file and definition already exists in the Splunk platform, you can add it to Splunk Enterprise Security so that you can edit it.
- Select Security content then Content management.
- Select Create New Content then Managed Lookup.
- Select Select Existing.
- Select the lookup definition from the drop-down list.
- (Optional) Modify the lookup type.
- Type a label for the lookup. The label appears as the name for the lookup on the Content management page.
- Type a description for the lookup.
- (Optional) Change the option to allow editing of the lookup file.
- Select Save.
Verify that you added a lookup successfully
Confirm that you added a lookup file successfully by using the inputlookup
search command to display the list. For example, to review the application protocols lookup:
| inputlookup append=T application_protocol_lookup
Edit a lookup in Splunk Enterprise Security
Only users with appropriate permissions can edit lookups. See Manage permissions in Splunk Enterprise Security. Lookups do not accept regular expressions, and the lookup editor does not validate the accuracy of your entries. You cannot save a lookup file with empty header fields.
Stop managing a lookup
To stop managing a lookup, select Stop managing on the Content management page. When you stop managing a lookup, you can no longer edit the lookup from Splunk Web but the lookup is not deleted.
Export a lookup in Splunk Enterprise Security
- On Content Management, locate the lookup that you want to export.
- Under the Actions column, select Export to export a copy of the file in CSV format.
You can export multiple lookup files and other knowledge objects as part of an app. See Export content from Splunk Enterprise Security as an app in Administer Splunk Enterprise Security.
Audit changes made to lookup files
To review the last time a lookup file was edited and by whom, use a search. For example:
index=_internal uri_path="/splunk-es/en-US/app/SplunkEnterpriseSecuritySuite/ess_lookups_edit"
Export content from Splunk Enterprise Security as an app | Manage internal lookups in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Feedback submitted, thanks!