Introduction to lookup configuration
Lookups add fields from an external source to your events based on the values of fields that are already present in those events. A simple lookup example would be a lookup that works with a CSV file that combines the possible HTTP status values (303, 404, 201, and so on) with their definitions. If you have an event that includes an HTTP status value, the lookup could add the HTTP status description to the event.
You can also use lookups to perform this action in reverse, so that they add fields from your events to rows in a lookup table.
You can configure different types of lookups. Lookups are differentiated in two ways: by data source and by information type.
For more information on dataset types, see Dataset types and usage.
|Lookup type||Data source||Description|
|CSV lookup||A CSV file||Populates your events with fields pulled from CSV files. Also referred to as a "static lookup" because CSV files represent static tables of data. Each column in a CSV table is interpreted as the potential values of a field.
|External lookup||An external source, such as a DNS server.||Uses Python scripts or binary executables to populate your events with field values from an external source. Also referred to as a "scripted lookup."
|KV Store lookup||A KV Store collection||Matches fields in your events to fields in a KV Store collection and outputs corresponding fields in that collection to your events.
|Geospatial lookup||A KMZ (compressed keyhole markup language) file, used to define boundaries of mapped regions such as countries, US states, and US counties.||You use a geospatial lookup to create a query that Splunk software uses to configure a choropleth map. A geospatial lookup matches location coordinates in your events to geographic feature collections in a KMZ (Keyhole Markup Language) file and outputs fields to your events that provide corresponding geographic feature information encoded in the KMZ, like country, state, or county names.
Lookup example in Splunk Web
Configure CSV lookups
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2303, 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209 (latest FedRAMP release)
Feedback submitted, thanks!