Splunk® Light

Getting Started Manual

Download manual as PDF

Download topic as PDF

Use lookups in Splunk Light

Lookups enable you to enrich and extend the usefulness of your event data through interactions with external resources. Lookup tables use information in your events to determine how to add other fields from external data sources such as static tables (CSV files).

You can use field lookups to add new fields to your events. With field lookups you can reference fields in an external CSV file that match fields in your event data. Using this match, you can enrich your event data by adding more meaningful information and searchable fields from the CSV file to each event. The external CSV files are referred to as lookup table files.

Configure a lookup table file

1. In the sidebar menu, go to Knowledge > Lookups. The Lookups manager opens, where you can create new lookups or edit existing lookups.

2. In the Lookups manager, locate Lookup table files.

3. In the Actions column click Add new. You use the Add new lookup table files view to upload CSV files that you want to use.

4. The Destination app field specifies which app you want to upload the lookup table file to. The default value is search.

5. Under Upload a lookup file, browse to and upload the file you want to use.

6. Under Destination filename, type the name the lookup table will have on the Splunk server. This is the name that you will use to refer to the file when you create a lookup definition.

7. Click Save. This uploads your lookup file to Search and displays the lookup table files list. The lookup table files listed, that are other than what you have uploaded, are included with the Splunk software.

Note: If the Splunk software does not recognize or cannot upload the file, you can take the following actions.

  • Check that the file is uncompressed.
  • If an error message indicates that the file does not have line breaks, the file has become corrupted. This can happen if a ZIP file is opened in Microsoft Excel before it is uploaded. You should delete the file, then download the ZIP file again, and uncompress the file.

8. Next, share the lookup table file.

Share a lookup table file

After you have a lookup table file uploaded, you need tell the Splunk software which applications can use this file. You can share the lookup table file with Search.

1. In the Lookup table files list, locate the list you want to share.

2. In the Sharing column, click Permissions.

3. Select if you want to share the lookup table file or keep it private.

4. Select the roles you want to share this lookup table file with, including giving read and write access.

5. Click Save.

6. Next, add the field lookup definition.

Add the field lookup definition

You must create a lookup definition from the lookup table file.

1. In the sidebar menu, go to Knowledge > Lookups.

2. For Lookup definitions, click Add New. The Add new lookups definitions page opens, where you define the field lookup.

3. There is no need to change the Destination app setting. It is already set to the default of search.

4. For Name, type the name of the lookup definition.

5. For Type, select the type of file. A file-based lookup is typically a static table, such as a CSV file.

6. For Lookup file, select your lookup table file.

7. If you want to select Configure time-based lookup and Advanced options, click the box and complete the additional configuration.

8. Click Save. Your lookup table file now has a lookup definition.

9. Next, share the lookup definition.

Share the lookup definition

Now that you have created the lookup definition, specify the roles in which you want to share the definition.

1. In the Lookup definitions list, click Permissions.

2. Select the roles you want to share this lookup table file with, including giving read and write access.

3. Click Save.

You can use this field lookup to add information from the lookup table file to your events. You use the field lookup by specifying the lookup command in a search string. Or, you can set the field lookup to run automatically.

Make the lookup automatic

Instead of using the lookup command when you want to apply a field lookup to your events, you can set the lookup to run automatically.

1. In the Lookups manager, for Automatic lookups, click Add New.

This takes you to the Add new automatic lookups view, where you configure the lookup to run automatically.

2. The default Destination app setting is search.

3. For Name, enter a name for this automatic lookup.

4. Select the Lookup table.

The other options are lookups that are based on the lookup table files that come with the product.

5. For Apply to, the value and enter the name.

6. For Lookup input fields, enter the values from the lookup table file with values in your events.

  • The first text box specifies the value in the lookup table file.
  • The second text box specifies the value in your events.

7. For Lookup output fields, specify the names of the fields from the lookup table file that you want to add to your event data. You can specify different names.

  • In the first text box, type a name that is descriptive name for each productId.
  • In the second text box, after the equal sign, type the name of the field that will appear in your events for the descriptive name of the product.

8. If you want to overwrite field values, check Overwrite field values. Typically, this remains unchecked.

9. Click Save.

PREVIOUS
Use reports in Splunk Light
  NEXT
Use search macros in Splunk Light

This documentation applies to the following versions of Splunk® Light: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.1612 (cloud service only), 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters