Skip to main content
Splunk® Enterprise

Knowledge Manager Manual

Splunk® Enterprise
7.2.0
Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Lookup example in Splunk Web

This example defines a file-based CSV lookup that adds two fields, status_description and status_type, to your web access events. This lets you search for events when you do not know the specific error code. Instead of searching for all server error codes, use status="Server Error".

Upload the lookup table to Splunk Enterprise

Prerequisities

The following is a sample of the file: 

status,status_description,status_type
100,Continue,Informational
101,Switching Protocols,Informational
200,OK,Successful
201,Created,Successful
202,Accepted,Successful
203,Non-Authoritative Information,Successful
...

Steps

  1. From the Search app, then select Settings > Lookups.
  2. Select Add new for Lookup table files.
  3. Select search for the destination app.
  4. Browse for the CSV file that you downloaded earlier.
  5. Name the lookup table http_status.
  6. Click Save.

    7. Upload http status 4.2 b.png

    After Splunk Enterprise saves the file, it takes you to the following view:

    Upload lookup table file b.png

Define the lookup

Prerequisites

Steps

  1. From Settings > Lookups, select Add new for Lookup definitions.
  2. Select search for the Destination app.
  3. Name your lookup definition http_status.
  4. Select File-based under Type.
  5. Click Save.
    Lookup def saved-b.png
    Notice there are some actions you can take on your lookup definition. Permissions lets you change the accessibility of the lookup table. You can Disable, Clone, and Move the lookup definition to a different app. Or, you can Delete the definition. Once you define the lookup, you can use the lookup command to invoke it in a search or you can configure the lookup to run automatically.

Set the lookup to run automatically

Prerequisites

Steps

  1. Return to the Settings > Lookups view and select Add new for Automatic lookups.
  2. In the Add new page:
    Add new automatic lookup b.png
  3. Select search for the Destination app.
  4. Name the lookup http_status.
  5. Select http_status from the Lookup table drop down.
  6. Apply the lookup to the sourcetype named access_combined.
    Apply lookup to field b.png
  7. Lookup input fields are the fields in our events that you want to match with the lookup table. Here, both are named status (the CSV column name goes on the left and the field that you want to match goes on the right): Lookup input fields b.png
  8. Lookup output fields are the fields from the lookup table that you want to add to your events: status_description and status_type. The CSV column name goes on the left and the field that you want to match goes on the right. Lookup output fields b.png
  9. Click Save.
Last modified on 16 January, 2020
Define an automatic lookup in Splunk Web   Introduction to lookup configuration

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters