Splunk® Enterprise

Data Model and Pivot Tutorial

Download manual as PDF

Download topic as PDF

Add lookup files

The data models and pivots that you will create in this tutorial require some fields from an external lookup file. This topic walks through adding the required lookup to your Splunk deployment and creating a new lookup definition.

CSV lookups let you reference fields in an external CSV file that match fields in your event data. Using this match, you can enrich your event data by adding more meaningful information and searchable fields to each event.

For more information about lookups, see About lookups.

For more information about CSV lookups, see Define a CSV lookup in Splunk Web.

Download the lookup file

Download and uncompress the following file:

This file maps the productId, which exists in the Buttercup Games tutorial data, to a product name and price.

Find the Lookups manager

  1. In the Splunk bar, on the upper right, click Settings.
  2. Under Knowledge, click Lookups.
    6.2tutorial settings lookups.png
    This opens the Lookups editor where you can create new lookups or edit existing ones.
    6.1 tutorial lookupsmanager.png
    You can view and edit existing lookups by clicking on the links in the table for Lookup table files, Lookup definitions, and Automatic lookups.

Upload the lookup table file

  1. In the Lookups manager under "Actions" for Lookup table files, click Add new. This takes you to the Add new lookup table files view where you upload CSV files to use in your definitions for field lookups.
    6.1 tutorial addnewlookuptable.png
  2. To save your lookup table file in the Search app, leave the Destination app as search.
  3. Under Upload a lookup file, browse for the CSV file (prices.csv) to upload.
  4. Under Destination filename, name the file prices.csv. This is the name you use to refer to the file in a lookup definition.
  5. Click Save. This uploads your lookup file to the Search app and returns to the lookup table files list.
  6. Note: If an error occurs when you upload the file, check that you uncompressed it after downloading it.

Share the lookup table file globally

If the lookup file is not shared, you cannot select it when you define the lookup.

  1. Go to the Lookup table files list.
  2. Under Sharing for the prices.csv lookup table's Path, click Permissions.
  3. This opens the Permission dialog box for the prices.csv lookup file.

  4. Under Object should appear in, select All apps.
  5. 6.1 tutorial lookuptablepermissions.png


  6. Click Save.
    6.1 tutorial lookuptableglobal.png
    Now, the lookup table should be shared with Global permissions.

Add the field lookup definition

  1. Return to the Lookups manager.
  2. Under Actions for Lookup definitions, click Add New. This takes you to the Add new lookups definitions view where you define your field lookup.
    6.1 tutorial newlookupdefinition.png
  3. Leave the Destination app as search.
  4. Name your lookup prices_lookup.
  5. Under Type, select File-based. File-based lookups add fields from a static table, usually a CSV file.
  6. Under Lookup file, select prices.csv (the name of your lookup table).
  7. Leave Configure time-based lookup and Advanced options unselected.
  8. Click Save. This defines prices_lookup as a CSV lookup. 6.2tutorial lookupdefinitionsaved.png

Share the lookup definition with all apps

  1. Return to the Lookup definitions list.
  2. Under Sharing for prices_lookup, click Permissions. The Permission dialog box for the prices.lookup opens.
  3. Under Object should appear in, select All apps.
    6.1 tutorial lookupdefinitionspermissions.png
  4. Click Save. Now, prices_lookup should be shared with Global permissions.

Next steps

Continue to the next section to learn about data models and create them.

PREVIOUS
Load the tutorial data
  NEXT
About data models and data model objects

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters