Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Download topic as PDF

Define an automatic lookup in Splunk Web

Manual lookups are applied to the results of a search when they are invoked with the lookup command. Automatic lookups are applied to all searches at search time.

Splunk software does not support nested automatic lookups.

Add a new lookup to run automatically

Prerequisites
Review the following topics:

A lookup definition that you have defined previously.
Steps

  1. In Splunk Web, select Settings > Lookups.
  2. Under Actions for Automatic Lookups, click Add new.
  3. Select the Destination app.
  4. Give your automatic lookup a unique Name.
  5. Select the Lookup table that you want to use in your fields lookup.
    This is the name of the lookup definition that you defined on the Lookup Definition page.
  6. In the Apply to menu, select a host, source, or source type value to apply the lookup and give it a name in the named field.
  7. Under Lookup input fields provide one or more pairs of input fields.
    The first field is the field in the lookup table that you want to match. The second field is a field from your events that matches the lookup table field. For example, you can have an ip_address field in your events that matches an ip field in the lookup table. So you would enter ip = ip_address in the automatic lookup definition.
  8. Under Lookup output fields provide one or more pairs of output fields.
    The first field is the corresponding field that you want to output to events. The second field is the name that the output field should have in your events. For example, the lookup table may have a field named country that you may want to output to your events as ip_city. So you would enter country=ip_city in the automatic lookup definition.
  9. You can select the checkbox for Overwrite field values to overwrite the field values when the lookup runs.
    Note: This is equivalent to configuring your fields lookup in props.conf.
  10. Click Save.

The Automatic lookup view appears, and the lookup that you have defined is listed.

Last modified on 07 August, 2019
PREVIOUS
Define a time-based lookup in Splunk Web 		  NEXT
Lookup example in Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters