Splunk® Enterprise

Search Tutorial

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Search with field lookups

Now that you have defined the prices_lookup, you can see the fields from that lookup in your search results.

Show the lookup fields in your search results

Because the prices_lookup is an automatic lookup, the fields from the lookup table will automatically appear in your search results.

  1. From the Automatic Lookups window. In the Apps menu, click Search & Reporting to return to the Search summary view.
  2. Change the time range to All time.
  3. Run the following search to locate all of the web access activity.

    4. sourcetype=access_*

  4. Scroll through the list of Interesting Fields in the Fields sidebar, and find the price field.
  5. Click price to open the summary dialog box for that field.
    6. This screen image shows the Field summary dialog box for the price field.
  6. Next to Selected, click Yes. This moves the prices field from the list of Interesting Fields to the list of Selected Fields in the Fields sidebar.
  7. Close the dialog box.
  8. Scroll through the list of Interesting Fields in the Fields sidebar, and find the productName field.
  9. Click productName to open the summary dialog box for the field.
  10. Next to Selected, click Yes.
  11. Close the dialog box.
    12. Both the price field and the productName field appear in the Selected Fields list and in the search results.
    Notice that not every event shows the price and the productName fields.
    This screen image shows the lookup fields in the Selected Fields list and in the search results. The third event in the list is highlighted. The lookup fields do not appear in every event.

Search with the new lookup fields

When you setup the automatic lookup, you specified that the productId field in your indexed events corresponds to the productId field in the prices.csv file.

When you run a search, the Splunk software uses that relationship to retrieve, or lookup, data from the prices.csv file.

This enables you to specify the productName and price fields directly in your search. The product name and price information does not exist in your indexed fields. This information exists in the lookup file, prices.csv.

Example: Display the product names and prices

You can show a list of the Buttercup Games product names and the corresponding prices by using the stats command to output a table that lists the prices by product. The search also uses the AS keyword and the rename command.

  1. Run the following search.

sourcetype=access_* |stats values(price) AS Price BY productName |rename productName AS "Product Name"

This screen image shows the search results. There are two columns in the results. The first column lists the product names. The second column lists the prices for the products.

Example: Display the VIP client purchases

In the previous section about subsearches, you created a search that returned the product IDs of the products that a VIP client purchased.

sourcetype=access_* status=200 action=purchase [search sourcetype=access_* status=200 action=purchase | top limit=1 clientip | table clientip] | stats count AS "Total Purchased", dc(productId) AS "Total Products", values(productId) AS "Products ID" BY clientip | rename clientip AS "VIP Customer"

This screen image shows the results on the Statistics tab. The first column shows the client IP address. The second column shows that the customer made 134 purchases. The third column shows that 14 different products were purchased.

The events return the product IDs because that is the only data in your events about the product. However, now that you have defined the automatic lookup, you can return the actual product names.

  1. Make sure that the time range is set to All time.
  2. Using the same search, for the values parameter, replace the productId field with the productName field.

sourcetype=access_* status=200 action=purchase [search sourcetype=access_* status=200 action=purchase | top limit=1 clientip | table clientip] | stats count AS "Total Purchased", dc(productId) AS "Total Products", values(productName) AS "Product Names" BY clientip | rename clientip AS "VIP Customer"

The results are the same as in the previous search, showing the purchases by the VIP customer. However, the results are more meaningful because the product names, which are coming from the lookup table, appear instead of the more cryptic product IDs.
This screen image shows the search results. This is the same as the previous image with one important change. The last column in the previous image showed the Product IDs. In this image the last column shows the names of the products that were purchased.

Next step

This completes Part 5 of the Search Tutorial.

You have learned how to use field lookups in your searches. As you run more searches, you want to be able to save those searches, or share the searches with other people. Continue to Part 6: Creating reports and charts.

Last modified on 23 March, 2018
Enabling field lookups   Save and share your reports

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters