Splunk® Enterprise

Data Model and Pivot Tutorial

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Add lookup files

The data models and pivots that you create in this tutorial require some fields from an external lookup file. This topic guides you through the steps to add the lookup to your Splunk deployment and create a new lookup definition.

With CSV lookups, you can reference fields in an external CSV file that match fields in your event data. Using this match, you can enrich your event data by adding more meaningful information and searchable fields to each event. For this tutorial the lookup file maps the productId in the tutorial data to a product name and price in the lookup file.

The remaining Parts in this tutorial dependent on you completing the steps in this section. If you do not configure the lookup, the data models and pivots will not produce the correct results.

If you completed the Search Tutorial, you can skip this step and go to Part 2: Building a data model.

Download and uncompress the lookup file

  1. Download the Prices.csv.zip file.
  2. Uncompress the file.


The prices.csv file contains the product names, price, and code. For example:
productId product_name price sale_price Code
DB-SG-G01 Mediocre Kingdoms 24.99 19.99 A
DC-SG-G02 Dream Crusher 39.99 24.99 B
FS-SG-G03 Final Sequel 24.99 16.99 C
WC-SH-G04 World of Cheese 24.99 19.99 D

Find the Lookups manager

  1. In the Splunk bar, click Settings.
  2. In the Knowledge section, click Lookups.
    This image shows the Settings drop-down. The Lookups option is circled.
    The Lookups manager opens, where you can create new lookups or edit existing lookups.
    This image shows the Lookups manager page.

Upload the lookup table file

To use a lookup table file, you must upload the file to your Splunk platform.

  1. In the Lookups manager, locate Lookup table files.
  2. In the Actions column click Add new.
    You use the Add new view to upload the CSV file that you want to use.
    This image shows the Add new view with the prices.csv file specified as the file to upload and the destination name.
  3. The Destination app field specifies which app you want to upload the lookup table file to. To upload the file in the Search app, you do not need to change anything. The default value is search.
  4. Under Upload a lookup file, click Choose File and browse for the prices.csv file.
  5. Under Destination filename, type prices.csv.
    This is the name that you will use to refer to the file when you create a lookup definition.
  6. Click Save.
    This uploads your lookup file to the Search app and displays the lookup table files list.

If the Splunk software does not recognize or cannot upload the file, you can take the following actions.

  • Check that the file is uncompressed.
  • If an error message indicates that the file does not have line breaks, the file has become corrupted. This can happen if the file is opened in Microsoft Excel before it is uploaded. You should delete the Prices.csv.zip and prices.csv files. Then download the ZIP file again, and uncompress the file.

The image shows that the prices.csv file was uploaded successfully.

The other lookup table files in the list are included with the Splunk software.

Share the lookup table file

Now that the lookup table file is uploaded, you need tell the Splunk software which applications can use this file. You can share the lookup table file with the Search app or with all of the apps.

  1. In the Lookup table files list, locate the prices.csv file at the bottom of the Path list.
  2. In the Sharing column, notice that prices.csv is listed as Private.
  3. To share the lookup table file, click Permissions.
  4. In the Permissions dialog box, under Object should appear in, select All apps.
    This image shows the Permissions dialog box with the "All apps" radio button selected.
  5. Click Save.
    The Sharing setting for the prices.csv lookup table is set to Global.
    This image shows the Lookup table file dialog box.

Add the field lookup definition

It is not sufficient to share the lookup table file with an application. You must create a lookup definition from the lookup table file.

  1. In the Lookup table file view, select Lookups in the breadcrumbs to return to the Lookups manager.
    This image shows the Lookup table file dialog box. There is a circle around the first link in the breadcrumbs "Lookups". You can also open the Lookups manager from the Settings menu and selecting "Lookups".
  2. For Lookup definitions, click Add New.
    The Add new lookups definitions page opens, where you define the field lookup.
  3. There is no need to change the Destination app setting. It is already set to search, referring to the Search app.
  4. For Name, type prices_lookup.
  5. For Type, select File-based.
    A file-based lookup is typically a static table, such as a CSV file.
  6. For Lookup file, select prices.csv, which is the name of the lookup table file that you created.
    This image shows the Add new page.
  7. For Configure time-based lookup and Advanced options, leave the check boxes unselected.
  8. Click Save.
    The prices_lookup is now defined as a file-based lookup.
    This image shows the Lookup Definitions page. There are several pre-defined built in lookup definitions. The prices_lookup is at the bottom of the list.

Share the lookup definition with all apps

Now that you have created the lookup definition, you need to specify in which apps you want to use the definition.

  1. In the Lookup definitions list, for the prices_lookup, click Permissions.
  2. In the Permissions dialog box, under Object should appear in, select All apps.
    This image shows the Permissions page with "All apps" selected.
  3. Click Save.
    In the Lookup definitions page, prices_lookup now has Global permissions.

You can use this field lookup to add information from the lookup table file to your events. You use the field lookup by specifying the lookup command in a search string. Or, you can set the field lookup to run automatically.

Next steps

Continue to the next section to learn about data models and how to create them.

Last modified on 16 February, 2018
Load the tutorial data   About data models and data model datasets

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters