Use lookup to add fields from lookup tables
You can match fields in your events to fields in external sources, such as lookup tables, and use these matches to add more information inline to your events.
A lookup table can be a static CSV file, a KV store collection, or the output of a Python script. You can also use the results of a search to populate the CSV file or KV store collection and then set that up as a lookup table. For more information about field lookups, see Configure CSV and external lookups and Configure KV store lookups in the Knowledge Manager Manual.
After you configure a fields lookup, you can invoke it from the Search app with the lookup command.
Example
You have a field lookup named dnslookup which references a Python script that performs a DNS and reverse DNS lookup and accepts either a host name or IP address as arguments. You can use the lookup command to match the host name values in your events to the host name values in the lookup table, and add the corresponding IP address values to your events.
... | lookup dnslookup clienthost AS host OUTPUT clientip
See also
- Related information
- Configure external lookups in the Knowledge Manager Manual
| Use the eval command and functions | Extract fields with search commands |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Download manual
Feedback submitted, thanks!