Splunk® App for Lookup File Editing

User Guide

Create a new lookup in the Splunk App for Lookup File Editing

Using the Splunk App for Lookup File Editing, you can edit, import, and export KV store and CSV file lookups in an interface similar to Microsoft Excel.

To create a new lookup in the Splunk App for Lookup File Editing, complete the following steps:

  1. Log in to Splunk Web.
  2. From the Apps listing, select the Splunk App for Lookup File Editing.
  3. Select Lookups > Create New Lookup, or select the New Lookup tab. You can create either a CSV lookup or a KV store lookup. The following steps use a CSV lookup as an example.
  4. Select Create CSV Lookup.

    Nonadmin users can't create external lookups or KV store files.

  5. (Optional) If you're creating a new CSV lookup, you can edit the total backup size limit for that particular lookup file. See Edit the backup size limit for CSV lookups.
  6. On the New Lookup page, select Import. In the resulting dialog box, you can upload your CSV file or drag and drop it.

    The size limit for lookups is 100 MB.

    This image shows the New Lookup page for a new CSV lookup. A button labeled Import has been selected, which results in a dialog box. In this dialog box, you can select a CSV file to import from your computer or drag and drop the CSV file in the box.
  7. After the CSV file imports, select any cell in the table to make edits.

    CSV files can use only one cell delimiter to correctly import and separate data into columns. If your data does not separate into columns correctly, check the CSV file for values such as semicolons or pipes that might misidentify as delimiters.

    You can also use the keywords High, Medium, and Low to color-code the corresponding fields.

    This image shows the New Lookup tab following the import of an example CSV. In this example a new column has been added and named Urgency. In this column is a row labeled high, a row labeled medium, and a row labeled low. When used, these field names autofill with a corresponding color - high in orange, medium in yellow, and low in green.
  8. (Optional) Select the User only check box to keep the lookup private.
  9. (Optional) To change the text alignment in the lookup columns, select the left ( left alignment icon ), right ( right alignment icon ), or center ( center alignment icon ) icon.
  10. Select Save Lookup.

    You can save a lookup with the same name as a lookup created by another user without rewriting the existing lookup. However, you can't save a lookup with the same name as one you've already created.

  11. (Optional) Select the toggle switch to save a backup of the lookup file. If you set a backup limit for the lookup file and you've already reached the limit, you can either edit the total backup limit size or navigate to the backup manager page where you can delete unwanted backups and organize your existing backups.

    If you have less than 10% of your disk space remaining, you must manage the disk space in the backup manager to free up space.


    This image shows the Save Lookup dialog box for saving a backup for a lookup file.
  12. Select Save Lookup again to confirm your changes.

The process for creating a CSV file lookup is similar to the process for creating a KV store lookup. When you create a KV store lookup rather than a CSV file lookup, there are some differences in the user interface of the New Lookup page.
This image shows the screen for when you select to add a new KV Store lookup rather than a CSV.

Last modified on 29 May, 2024
Getting started with the Splunk App for Lookup File Editing   Edit a lookup file in the Splunk App for Lookup File Editing

This documentation applies to the following versions of Splunk® App for Lookup File Editing: 4.0.2, 4.0.4

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters