Splunk® Enterprise

Search Tutorial

Download manual as PDF

Download topic as PDF

Search with field lookups

Now that you have defined the prices_lookup, you can see the fields from that lookup in your search results.

Show the lookup fields in your search results

Because the prices_lookup is an automatic lookup, the fields from the lookup table will automatically appear in your search results.

  1. From the Automatic Lookups window. In the Apps menu, click Search & Reporting to return to the Search summary view.
  2. Change the time range to All time.
  3. Run the following search to locate all of the web access activity.
  4. sourcetype=access_*

  5. Scroll through the list of Interesting Fields in the Fields sidebar, and find the price field.
  6. Click price to open the summary dialog box for that field.
  7. This screen image shows the Field summary dialog box for the price field.
  8. Next to Selected, click Yes. This moves the prices field from the list of Interesting Fields to the list of Selected Fields in the Fields sidebar.
  9. Close the dialog box.
  10. Scroll through the list of Interesting Fields in the Fields sidebar, and find the productName field.
  11. Click productName to open the summary dialog box for the field.
  12. Next to Selected, click Yes.
  13. Close the dialog box.
  14. Both the price field and the productName field appear in the Selected Fields list and in the search results.
    Notice that not every event shows the price and the productName fields.
    This screen image shows the lookup fields in the Selected Fields list and in the search results. The third event in the list is highlighted. The lookup fields do not appear in every event.

Search with the new lookup fields

When you setup the automatic lookup, you specified that the productId field in your indexed events corresponds to the productId field in the prices.csv file.

When you run a search, the Splunk software uses that relationship to retrieve, or lookup, data from the prices.csv file.

This enables you to specify the productName and price fields directly in your search. The product name and price information does not exist in our indexed fields. This information exists in the lookup file, prices.csv.

Example: Display the product names and prices

  1. To show a list of the Buttercup Games product names and the corresponding prices, run the following search.

sourcetype=access_* |stats values(price) AS Price BY productName |rename productName AS "Product Name"

This screen image shows the search results. There are two columns in the results. The first column lists the product names. The second column lists the prices for the products.

Example: Display the VIP client purchases

In the previous section about subsearches, you created a search that returned the product IDs of the products that a VIP client purchased.

sourcetype=access_* status=200 action=purchase [search sourcetype=access_* status=200 action=purchase | top limit=1 clientip | table clientip] | stats count AS "Total Purchased", dc(productId) AS "Total Products", values(productId) AS "Products ID" BY clientip | rename clientip AS "VIP Customer"


The search returns these results. This screen image shows the results on the Statistics tab. The first column shows the client IP address. The second column shows that the customer made 134 purchases. The third column shows that 14 different products were purchased.

The events return the product IDs because that is the only data in your events about the product. However, now that you have defined the automatic lookup, you can return the actual product names.

  1. Make sure that the time range is set to All time.
  2. Using the same search, for the values parameter, replace the productId field with the productName field.

sourcetype=access_* status=200 action=purchase [search sourcetype=access_* status=200 action=purchase | top limit=1 clientip | table clientip] | stats count AS "Total Purchased", dc(productId) AS "Total Products", values(productName) AS "Product Names" BY clientip | rename clientip AS "VIP Customer"

The results are the same as in the previous search, showing the purchases by the VIP customer. However, the results are more meaningful because the product names, which are coming from the lookup table, appear instead of the more cryptic product IDs.
This screen image shows the search results. This is the same as the previous image with one important change. The last column in the previous image showed the Product IDs. In this image the last column shows the names of the products that were purchased.

Next step

This completes Part 5 of the Search Tutorial.

You have learned how to use field lookups in your searches. As you run more searches, you want to be able to save those searches, or share the searches with other people. Continue to Part 6: Creating reports and charts.

PREVIOUS
Enabling field lookups
  NEXT
Save and share your reports

This documentation applies to the following versions of Splunk® Enterprise: 6.5.1612 (Splunk Cloud only), 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters