Splunk Cloud Platform

Search Tutorial

Search with field lookups

Now that you have defined the prices_lookup, you can see the fields from that lookup in your search results.

Show the lookup fields in your search results

Because the prices_lookup is an automatic lookup, the fields from the lookup table will automatically appear in your search results.

  1. From the Automatic Lookups window, click the Apps menu in the Splunk bar.
  2. Click Search & Reporting to return to the Search app.
  3. Change the time range to All time.
  4. Run the following search to locate all of the web access activity.

    sourcetype=access_*

  5. Scroll through the list of Interesting Fields in the Fields sidebar, and find the price field.
    This field is added to your events from the automatic lookup you created.
  6. Click price to open the summary dialog box for that field.

    This screen image shows the Field summary dialog box for the price field. There are 9 different prices listed along with a count and percent for each price.

    The summary dialog box contains a lot of information about the price field. For example, the price field appears in more than 50% of the events. There are a set of built-in reports that you can access. Several aggregate calculations, such as average, minimum, and standard deviation, are listed. Along with a count and percentage of how many events each price appears in.
  7. Next to Selected, click Yes. This moves the prices field from the list of Interesting Fields to the list of Selected Fields in the Fields sidebar.
  8. Close the dialog box.
  9. Scroll through the list of Interesting Fields in the Fields sidebar, and find the productName field.
  10. Click productName to open the summary dialog box for the field.
  11. Next to Selected, click Yes.
  12. Close the dialog box.

Both the price and the productName fields appear in the Selected Fields list and in the search results.

Notice that not every event shows the price and the productName fields.

This screen image shows the lookup fields in the Selected Fields list and in the search results. The third event in the list is highlighted. The lookup fields do not appear in every event.

Search with the new lookup fields

When you setup the automatic lookup, you specified that the productId field in your indexed events corresponds to the productId field in the prices.csv file.

When you run a search, the Splunk software uses that relationship to retrieve, or lookup, data from the prices.csv file.

This enables you to specify the productName and price fields in your search criteria. The product name and price information does not exist in your indexed fields. This information exists in the lookup file, prices.csv.

Example: Display the product names and prices

You can show a list of the Buttercup Games product names and the corresponding prices by using the stats command to output a table that lists the prices by product. The search also uses the AS keyword and the rename command.


  1. Run the following search using the All time time range.

sourcetype=access_* |stats values(price) AS Price BY productName |rename productName AS "Product Name"

This screen image shows the search results. There are two columns in the results. The first column lists the 16 product names. The second column lists the prices for the products.

Example: Display the VIP client purchases

In Part 4 of this tutorial about subsearches, you created the following search that returned the product IDs of the products that a VIP client purchased.

sourcetype=access_* status=200 action=purchase [search sourcetype=access_* status=200 action=purchase | top limit=1 clientip | table clientip] | stats count AS "Total Purchased", dc(productId) AS "Total Products", values(productId) AS "Product IDs" BY clientip | rename clientip AS "VIP Customer"

The results of that search are shown in the following image.

This screen image shows the results on the Statistics tab. The first column is VIP Customer with a value of 87.194.216.51. The second column is Total Purchased with a value of 134. The third column is Total Products with a value of 14. The last column is Product IDs and lists the IDs of the products purchased by the VIP customer. Examples of the Product IDs are: BS-AG-G09 and CU-PG-G06.

The events return the product IDs because that is the only data in your events about the product. However, now that you have defined the automatic lookup, you can return the actual product names.

  1. Make sure that the time range is set to All time.
  2. Using the same search, change values(productId) to values(productName).
  3. Run the search.

sourcetype=access_* status=200 action=purchase [search sourcetype=access_* status=200 action=purchase | top limit=1 clientip | table clientip] | stats count AS "Total Purchased", dc(productId) AS "Total Products", values(productName) AS "Product Names" BY clientip | rename clientip AS "VIP Customer"

The results, like the previous search, show the purchases by the VIP customer. However, the results are more meaningful because the product names, which are coming from the lookup table, appear instead of the more cryptic product IDs.
This screen image shows the search results. This is the same as the previous image with one important change. The last column in the previous image showed the Product IDs. In this image the last column shows the names of the products that were purchased. Examples of the product names are: Dream Crusher and Puppies vs. Zombies.

Next step

This completes Part 5 of the Search Tutorial.

You have learned how to use field lookups in your searches. As you run more searches, you want to be able to save those searches, or share the searches with other people. Continue to Part 6: Creating reports and charts.

See also

About lookups in the Knowledge Manager Manual

Last modified on 22 October, 2023
Enabling field lookups   Save and share your reports

This documentation applies to the following versions of Splunk Cloud Platform: 9.3.2408, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2208, 8.2.2112, 9.0.2205, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters