Splunk® Enterprise

Search Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Search with field lookups

Show the lookup fields in your search results

Now that you have defined the prices_lookup, you can display the fields in your search results.

  1. In the Apps menu, click Search & Reporting to return to the Search summary view.
  2. Run the following search to locate all of the web access activity.
  3. sourcetype=access_*

  4. Scroll through the list of Interesting Fields in the fields sidebar, and find the price field.
  5. Click price to open the summary dialog box for the field.
  6. This screen image shows the Field summary dialog box for the price field.
  7. Next to Selected, click Yes.
  8. Close the dialog box.
  9. Scroll through the list of Interesting Fields in the fields sidebar, and find the productName field.
  10. Click productName to open the summary dialog box for the field.
  11. Next to Selected, click Yes.
  12.  Close the dialog box.
  13. Both the price field and the productName field appear in the Selected Fields list and in the search results.
    Notice that not every event shows the price and the productName fields.
    This screen image shows the lookup fields in the Selected Fields list and in the search results. The third event in the list is highlighted. The lookup fields do not appear in every event.

Search with the new lookup fields

In the previous section about subsearches, you created a search that returned the product IDs of the products that a VIP client purchased.

sourcetype=access_* status=200 action=purchase [search sourcetype=access_* status=200 action=purchase | top limit=1 clientip | table clientip] | stats count AS "Total Purchased", dc(productId) AS "Total Products", values(productId) AS "Products ID" BY clientip | rename clientip AS "VIP Customer"

This screen image shows the results on the Statistics tab. The first column shows the client IP address. The second column shows that the customer made 134 purchases. The third column shows that 14 different products were purchased.

The events return the product IDs because that is the only data in your events about the product.

However, now that you have defined the automatic lookup, you can return the actual product names and the prices.

  1. Use the same search that shows the product IDs for what the VIP customer bought.
  2. For the values parameter, replace the productId field with the productName field.
    You can copy and paste the search example below into the Search bar instead of editing the search criteria.

    sourcetype=access_* status=200 action=purchase [search sourcetype=access_* status=200 action=purchase | top limit=1 clientip | table clientip] | stats count AS "Total Purchased", dc(productId) AS "Total Products", values(productName) AS "Product Names" BY clientip | rename clientip AS "VIP Customer"

    The results are the same as in the previous search example. The results show the purchases by the VIP customer. However, the results are more meaningful because the product names appear instead of the more cryptic product IDs.
    This screen image shows the search results. This is the same as the previous image with one important change. The last column in the previous image showed the Product IDs. In this image the last column shows the names of the products that were purchased.

Next step

This completes Part 5 of the Search Tutorial.

You have learned how to use field lookups in your searches. As you run more searches, you want to be able to save those searches, or share the searches with other people. Continue to Part 6: Creating reports and charts.

PREVIOUS
Enabling field lookups
  NEXT
Save and share your reports

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters