Splunk® Enterprise

Search Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Enabling field lookups

You can use field lookups to add new fields to your events. With field lookups you can reference fields in an external CSV file that match fields in your event data. Using this match, you can enrich your event data by adding more meaningful information and searchable fields from the CSV file to each event.

The external CSV files are referred to as lookup table files. The lookup file that you will use contains product IDs, product names, regular prices, sales prices, and product codes.

Prerequisite
In Part 1, you downloaded two tutorial data files and uncompressed the Prices.csv.zip file. You use that uncompressed file in this section.

Important: The remaining Parts in this tutorial are dependent on you completing the steps in this section. If you do not configure the field lookup, the searches will not produce the correct results.

Find the Lookups manager

  1. In the Splunk bar, click Settings.
  2. In the Knowledge section, click Lookups.
    This screen capture shows the Settings drop-down. The Lookups option is circled.
    The Lookups manager opens, where you can create new lookups or edit existing lookups.
    This screen capture shows the Lookups manager page.

You can view and edit existing lookups by clicking on the links in the Lookups manager. In the next few sections of this tutorial, you will upload a lookup table file, create a lookup definition, and create an automatic lookup.

Upload the lookup table file

To use a lookup table file, you must upload the file to your Splunk deployment.

  1. In the Lookups manager, locate Lookup table files.
  2. In the Actions column click Add new.
    You use the Add new lookup table files view to upload CSV files that you want to use.
    This screen image shows the Add new view with the prices.csv file specified as the file to upload and the destination name.
  3. The Destination app field specifies which app you want to upload the lookup table file to. To upload the file in the Search app, you do not need to change anything. The default value is search.
  4. Under Upload a lookup file, click Choose File and browse for the prices.csv file.
  5. Under Destination filename, type prices.csv.
    This is the name that you will use to refer to the file when you create a lookup definition.
  6. Click Save.
    This uploads your lookup file to the Search app and displays the lookup table files list.

Note: If the Splunk software does not recognize or cannot upload the file, you can take the following actions.

  • Check that the file is uncompressed.
  • If an error message indicates that the file does not have line breaks, the file has become corrupted. This can happen if the file is opened in Microsoft Excel before it is uploaded. You should delete the Prices.csv.zip and prices.csv files. Then download the ZIP file again, and uncompress the file.

The screen image shows that the prices.csv file was uploaded successfully.

The other lookup table files in the list are included with the Splunk software.

Share the lookup table file

Now that the lookup table file is uploaded, you need tell the Splunk software which applications can use this file. You can share the lookup table file with the Search app or with all of the apps.

  1. In the Lookup table files list, locate the prices.csv file at the bottom of the Path list.
  2. In the Sharing column, notice that prices.csv is listed as Private.
  3. To share the lookup table file, click Permissions.
  4. In the Permissions dialog box, under Object should appear in, select All apps.
    This screen image shows the Permissions dialog box with the "All apps" radio button selected.
  5. Click Save.
    The Sharing setting for the prices.csv lookup table is set to Global.
    This screen image shows the Lookup table file dialog box.

Add the field lookup definition

It is not sufficient to share the lookup table file with an application. You must create a lookup definition from the lookup table file.

1. In the Lookup table file view, select Lookups in the breadcrumbs to return to the Lookups manager.

This screen image shows the Lookup table file view. There is a circle around the first link in the breadcrumbs "Lookups". You can also open the Lookups manager from the Settings menu and selecting "Lookups".

2. For Lookup definitions, click Add New.

The Add new lookups definitions page opens, where you define the field lookup.

3. There is no need to change the Destination app setting. It is already set to search, referring to the Search app.

4. For Name, type prices_lookup.

5. For Type, select File-based.

A file-based lookup is typically a static table, such as a CSV file.

6. For Lookup file, select prices.csv, which is the name of your lookup table file.

This screen image shows the Add new page.

7. For Configure time-based lookup and Advanced options, leave the check boxes unselected.

8. Click Save.

The prices_lookup is now defined as a file-based lookup.
This screen image shows the Lookup Definitions page. There are several pre-defined built in lookup definitions. The prices_lookup is at the bottom of the list.

Share the lookup definition with all apps

Now that you have created the lookup definition, specify in which apps you want to use the definition.

1. In the Lookup definitions list, for the prices_lookup, click Permissions.

2. In the Permissions dialog box, under Object should appear in, select All apps.

This screen image shows the Permissions page with "All apps" selected.

3. Click Save.

In the Lookup definitions page, prices_lookup now has Global permissions.

You can use this field lookup to add information from the lookup table file to your events. You use the field lookup by specifying the lookup command in a search string. Or, you can set the field lookup to run automatically.

Make the lookup automatic

Instead of using the lookup command when you want to apply a field lookup to your events, you can set the lookup to run automatically.

1. In the Lookups manager, for Automatic lookups, click Add New.

This takes you to the Add new automatic lookups view, where you configure the lookup to run automatically.
This screen image shows the Add New view for automatic lookups.  None of the fields have been changed.

2. There is no need to change the Destination app setting. It is already set to search, referring to the Search app.

3. For Name, type autolookup_prices.

4. For Lookup table, select prices_lookup.

The other options are lookups that are based on the lookup table files that come with the product.

5. For Apply to, the value sourcetype is already selected. For named, type access_combined_wcookie.

This screen image shows the Add New new for lookup fields. The fields are filled in as described in the steps up to this point.

6. For Lookup input fields, type productId in both text boxes.

The lookup input fields are where you associate values from the lookup table file with values in your events.
  • The first text box specifies the value in the lookup table file.
  • The second text box specifies the value in your events.


The lookup table file has a productId column that contains values that match the values in the productId field in the events.
This screen image shows the Add New view for lookup fields.  The fields are filled in as described in the steps up to this point.

7. For Lookup output fields, specify the names of the fields from the lookup table file that you want to add to your event data. You can specify different names.

The lookup table file has several fields. You will specify two of the fields to appear in your events.

a. In the first text box, type product_name. This is the field in the prices.csv file that contains the descriptive name for each productId.
b. In the second text box, after the equal sign, type productName. This is the name of the field that will appear in your events for the descriptive name of the product.
c. Click Add another field to add another field after the first one.
d. Type price in the first text box. This is the field in the prices.csv file that contains the price for each productId. Let's use the same name for the field that will appear in your events. Type price in the second text box.
This screen image shows the Add New new for lookup fields.  The fields are filled in as described in these steps.

8. Keep Overwrite field values unchecked.

9. Click Save.

The Automatic lookup view appears and the lookup that you configured, autolookup_prices, is in the list. The full name is access_combined_wcookie : LOOKUP-autolookup_prices.
This screen image shows the Automatic lookups view. The format of the lookup name is "sourcetype : LOOKUP-name". This displays as "access_combined_wcookie : LOOKUP-autolookup_prices" in the screen image. The list in this view contains seven columns: Name, Lookup, Owner, App, Sharing, Status, and Action.

Next step

You have setup the Search app to automatically retrieve information from your lookup table definition.
Now, you will search using those lookup definitions.

PREVIOUS
Use a subsearch
  NEXT
Search with field lookups

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters