Splunk® Enterprise

Knowledge Manager Manual

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Define an automatic lookup in Splunk Web

Manual lookups are applied to the results of a search when they are invoked with the lookup command. Automatic lookups are applied to all searches at search time.

Splunk software does not support nested automatic lookups.

Add a new lookup to run automatically

Review the following topics:

A lookup definition that you have defined previously.

  1. In Splunk Web, select Settings > Lookups.
  2. Under Actions for Automatic Lookups, click Add new.
  3. Select the Destination app.
  4. Give your automatic lookup a unique Name.
  5. Select the Lookup table that you want to use in your fields lookup.
    This is the name of the lookup definition that you defined on the Lookup Definition page.
  6. In the Apply to menu, select a host, source, or source type value to apply the lookup and give it a name in the named field.
  7. Under Lookup input fields provide one or more pairs of input fields.
    The first field is the field in the lookup table that you want to match. The second field is a field from your events that matches the lookup table field. For example, you can have an ip_address field in your events that matches an ip field in the lookup table. So you would enter ip = ip_address in the automatic lookup definition.
  8. Under Lookup output fields provide one or more pairs of output fields.
    The first field is the corresponding field that you want to output to events. The second field is the name that the output field should have in your events. For example the lookup table may have a field named country that you may want to output to your events as ip_city.
  9. You can select the checkbox for Overwrite field values to overwrite the field values when the lookup runs.
    Note: This is equivalent to configuring your fields lookup in props.conf.
  10. Click Save.

The Automatic lookup view appears, and the lookup that you have defined is listed.

Last modified on 23 May, 2017
Define a time-based lookup in Splunk Web
Lookup example in Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters