Splunk® Enterprise

Knowledge Manager Manual

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Introduction to lookup configuration

Lookups add fields from an external source to your events based on the values of fields that are already present in those events. A simple lookup example would be a lookup that works with a CSV file that combines the possible HTTP status values (303, 404, 201, and so on) with their definitions. If you have an event that includes an HTTP status value, the lookup could add the HTTP status description to the event.

You can also use lookups to perform this action in reverse, so that they add fields from your events to rows in a lookup table.

You can configure different types of lookups. Lookups are differentiated in two ways: by data source and by information type.

For more information on dataset types, see Dataset types and usage.

Lookup type Data source Description
CSV lookup A CSV file Populates your events with fields pulled from CSV files. Also referred to as a "static lookup" because CSV files represent static tables of data. Each column in a CSV table is interpreted as the potential values of a field.

CSV inline lookup table files and inline lookup definitions that use CSV files are both dataset types.

External lookup An external source, such as a DNS server. Uses Python scripts or binary executables to populate your events with field values from an external source. Also referred to as a "scripted lookup."

Not a dataset type.

KV Store lookup A KV Store collection Matches fields in your events to fields in a KV Store collection and outputs corresponding fields in that collection to your events.

Not a dataset type.

Geospatial lookup A KMZ (compressed keyhole markup language) file, used to define boundaries of mapped regions such as countries, US states, and US counties. You use a geospatial lookup to create a query that Splunk software uses to configure a choropleth map. A geospatial lookup matches location coordinates in your events to geographic feature collections in a KMZ (Keyhole Markup Language) file and outputs fields to your events that provide corresponding geographic feature information encoded in the KMZ, like country, state, or county names.

Not a dataset type

Last modified on 23 May, 2017
Lookup example in Splunk Web   Configure CSV lookups

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.10, 8.1.0, 7.2.3, 8.0.8, 7.0.1, 8.0.7, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2, 8.0.9, 8.1.1, 8.1.10

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters