Splunk® Enterprise

Search Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Use field lookups

This topic takes you through using field lookups to add new fields to your events. Field lookups let you reference fields in an external CSV file that match fields in your event data. Using this match, you can enrich your event data by adding more meaningful information and searchable fields to each event.

Download and uncompress the following file:

Important: To complete the rest of the tutorial, you have to follow the procedures in this topic. If you do not add configure the field lookup, the searches in the following topics will not produce the correct results.

Find the Lookups manager

1. In the Splunk bar, on the upper right, click Settings.

2. Under Knowledge, click Lookups.

Tutorials home settings menu.png

This opens the Lookups editor where you can create new lookups or edit existing ones. You can view and edit existing lookups by clicking on the links in the table for Lookup table files, Lookup definitions, and Automatic lookups. To add new lookups, click Add new under Actions for that lookup item.

Upload the lookup table file

1. In the Lookups manager under "Actions" for Lookup table files, click Add new.

This takes you to the Add new' lookup table files view where you upload CSV files to use in your definitions for field lookups.

Search tutorial fieldlookups1.png

2. To save your lookup table file in the Search app, leave the Destination app as search.

3. Under Upload a lookup file, browse for the CSV file (prices.csv) to upload.

4. Under Destination filename, name the file prices.csv.

This is the name you use to refer to the file in a lookup definition.

5. Click Save.

This uploads your lookup file to the Search app and returns to the lookup table files list.

Note: If Splunk does not recognize or cannot upload the file, check that it was uncompressed before you attempt to upload it again.

Share the lookup table file globally

If the lookup file is not shared, you can not select it when you define the lookup.

1. Click Lookups in the breadcrumb to return to the Lookups manager.

2. Under Sharing for the prices.csv lookup table's Path, click Permissions.

This opens the Permission dialog box for the prices.csv lookup file.

3. Under Object should appear in, select All apps.

4. Click Save.

Add the field lookup definition

1. In the Lookups manager, under Actions for Lookup definitions, click Add New.

This takes you to the Add new lookups definitions view where you define your field lookup.

Search tutorial fieldlookups2.png

2. Leave the Destination app as search.

3. Name your lookup prices_lookup.

4. Under Type, select File-based.

File-based lookups add fields from a static table, usually a CSV file.

5. Under Lookup file, select prices.csv (the name of your lookup table).

6. Leave Configure time-based lookup and Advanced options unselected.

7. Click Save.

This defines prices_lookup as a file-based lookup.

Share the lookup definition with all apps

1. In the Lookup definitions manage, under Sharing, click Permissions.

Search tutorial fieldlookups2.51.png

The Permission dialog box for the prices.lookup opens.

2. Under Object should appear in, select All apps.

Search tutorial fieldlookups2.52.png

3. Click Save.

This shares the lookup definition globally.

Make the lookup automatic

1. In the Lookups manager, under Actions for Automatic lookups, click Add New.

This takes you to the Add New automatic lookups view where you configure the lookup to run automatically.

Search tutorial fieldlookups2.5.png

2. Leave the Destination app as search.

3. Name your automatic lookup price_lookup.

4. Under Lookup table, select price_lookup.

5. Under Apply to and named, select sourcetype and type in access_combined_wcookie.

6. Under Lookup input fields type in the access_combined_wcookie for the sourcetype and productId in both text areas under Lookup input fields .

Search tutorial fieldlookups3.png

The input field is the field in your event data that you use to match the field in the lookup table.

Splunk Enterprise matches the field in the lookup table (which is the one specified on the left) with the field on the right (which is the field in your events). In this case the field names match.

Search tutorial fieldlookups4.png


7. Under Lookup output fields, type in the name of the fields that you want to add to your event data based on the input field matching and rename the fields.

7.1 In the first text area, type product_name, which contains the descriptive name for each productId.

7.2. In the second text area, after the equal sign, type productName. This renames the field to productName.

7.3. Click Add another field to add more fields after the first one.

7.4. Add the field price, which contains the price for each productId. Do not rename this field.


8. Leave Overwrite field values unchecked.


9. Click Save.

This returns you to the list of automatic lookups and you should see your configured lookup.

Search tutorial automaticlookup.png


10. To view the the new fields in your data, first return to Search.

11. Run the search for web access activity:

sourcetype=access_*

12. Scroll through the fields sidebar or Fields dialog, and find the price and productName fields.

13. Click All fields and add them to the Selected fields list.


Search tutorial select lookupfields.png

These new fields appear in the events list.

Search with the new lookup fields

Run the previous subsearch example to see what the VIP customer bought. This time, replace the productId field with the more readable productName:

sourcetype=access_* status=200 action=purchase [search sourcetype=access_* status=200 action=purchase | top limit=1 clientip | table clientip] | stats count AS "Total Purchased", dc(productId) AS "Total Products", values(productName) AS "Product Names" by clientip | rename clientip AS "VIP Customer"

The result is the same as in the previous subsearch example, except that the VIP customer's purchases are more meaningful with the added descriptive product names.

Search tutorial fieldlookups5.png


The next section takes you through saving this search as a report called "VIP Customer".

Next steps

As you run more searches, you want to be able to save to reuse or share them with other people. Go to "About saving and sharing reports" to learn about saving and sharing reports.

PREVIOUS
Use a subsearch
  NEXT
About saving and sharing reports

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1.13, 6.1.14


Comments

There should be 14 product names listed, actually. I'll look into this and update. Thanks!

Sophy
February 5, 2014

I'm noticing that it says the customer purchased 14 different items, but the lookup produces 12 different results. If the productIds dont exist in the lookup csv, are they just ignored? Or would it at least return a Product Id? Is there an indication somewhere that would show tat they weren't found?

Richter12x2
February 4, 2014

Thanks for catching that, Jstallings. I've updated the instructions.

Sophy
January 3, 2014

There are missing instructions to share prices.csv file globally. If this step is not preformed then the file will not be available from the file dropdown in the Define the Field Lookup section.<br /><br />After uploading lookup file in the lookup table file section, under the File Sharing column, click the permissions link. Click the All apps radio button to share the file globally.

Jstallings
December 20, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters