Splunk - Lookups
Splunk - Lookups
In the result of a search query, we sometimes get values which may not clearly convey the meaning of the field. For example, we may get a field which lists the value of product id as a numeric result. These numbers will not give us any idea of what kind of product it is. But if we list the product name along with the product id, that gives us a good report where we understand the meaning of the search result.
Such linking of values of one field to a field with same name in another dataset using equal values from both the data sets is called a lookup process. The advantage is, we retrieve the related values from two different data sets.
Steps to Create and Use Lookup File
In order to successfully create a lookup field in a dataset, we need to follow the below steps −
Create Lookup File
We consider the dataset with host as web_application, and look at the productid field. This field is just a number, but we want product names to be reflected in our query result set. We create a lookup file with the following details. Here, we have kept the name of the first field as productid which is same as the field we are going to use from the dataset.
productId,productdescription WC-SH-G04,Tablets DB-SG-G01,PCs DC-SG-G02,MobilePhones SC-MG-G10,Wearables WSC-MG-G10,Usb Light GT-SC-G01,Battery SF-BVS-G01,Hard Drive
Add the Lookup File
Next, we add the lookup file to Splunk environment by using the Settings screens as shown below −
After selecting the Lookups, we are presented with a screen to create and configure lookup. We select lookup table files as shown below.
We browse to select the file productidvals.csv as our lookup file to be uploaded and select search as our destination app. We also keep the same destination file name.
On clicking the save button, the file gets saved to the Splunk repository as a lookup file.
Create Lookup Definitions
For a search query to be able to lookup values from the Lookup file we just uploaded above, we need to create a lookup definition. We do this by again going to Settings → Lookups → Lookup Definition → Add New .
Next, we check the availability of the lookup definition we added by going to Settings → Lookups → Lookup Definition .
Selecting Lookup Field
Next, we need to select the lookup field for our search query. This is done my going to New search → All Fields . Then check the box for productid which will automatically add the productdescription field from the lookup file also.
Using the Lookup Field
Now we use the Lookup field in the search query as shown below. The visualization shows the result with productdescription field instead of productid.
Frequently Asked Questions
Recommended Posts:
- Splunk Tutorial
- Splunk - Overview
- Splunk - Environment
- Splunk - Interface
- Splunk - Data Ingestion
- Splunk - Source Types
- Splunk - Basic Search
- Splunk - Field Searching
- Splunk - Time Range Search
- Splunk - Sharing Exporting
- Splunk - Search Language
- Splunk - Search Optimization
- Splunk - Transforming Commands
- Splunk - Sort Command
- Splunk - Top Command