Lookup in Splunk : To make enrich your data Splunk software gives one of the best Feature called Lookup, Lookup help us to add completely new field, from other files if data is matched with your fields. Standard lookups take fields out of table than it checks either fields are matching or not if yes than it add them to our events.
Splunk uses lookups table files to match field-value combinations in your event data with field-value combinations in external lookup tables.
If Splunk finds those field-value combinations in your lookup table file, Splunk will append the corresponding field-value combinations from the table to the events in your search.
Lookup table files are files that contain a lookup table. A standard lookup pulls fields out of this table and adds them to your events when corresponding fields in the table are matched in your events.
All lookup types use lookup tables, but only two lookup types require that you upload a lookup table file: CSV lookups and geospatial lookups. A single lookup table file can be used by multiple lookup definitions.
Create Lookup in Splunk
The files containing table of views that files are said to be Lookup Table Files, that file mostly used for mapping of fields and fields values and to match the field value alloy in your event data with field value combination in other or external lookups tables. If the field values combination matches than it will append the corresponding field-value alloys from the table to the events in your search.
Create Lookup File
productId,productdescription WC-SH-G04,Tablets DB-SG-G01,PCs DC-SG-G02,MobilePhones SC-MG-G10,Wearables WSC-MG-G10,Usb Light GT-SC-G01,Battery SF-BVS-G01,Hard Drive
Upload the lookup table file
6 Easy Steps to upload lookup table file
-
Select Settings > Lookups to go to the Lookups manager page.
-
Click Add new next to Lookup table files.
-
Select a Destination app from the drop-down list.
-
Click Choose File to look for the CSV file to upload.
-
Enter the destination filename. This is the name the lookup table file will have on the Splunk server. If you are uploading a gzipped CSV file, enter a filename ending in “.gz“. If you are uploading a plaintext CSV file, use a filename ending in “.csv“.
-
Click Save.
By default, the Splunk software saves your CSV file in your user directory for the Destination app: $SPLUNK_HOME/etc/users/<username>/<app_name>/lookups/
.
Lookup Table Files Definitions
(Lookup in Splunk) Lookup definitions give us lookup names and ways or paths to find the lookup table file. Lookup definitions contain restrictions and matching rule extra settings on fields that are going to be matched. Each lookup type requires a lookup definition.
What is Splunk Transaction Command? How to use it?
Lookup Table File Types
CSV lookups Table File
It is a file-based lookup type that is used to match the field value from events to field value in the static table to present again by CSV file. These lookups pertain as static lookups. It is good for a small set of data.
How to create a CSV file
- Upload CSV file
- Share the lookup table file
- Create a lookup definition from the lookup table file
External lookups Table File
It is a script-based lookup table file because they are easy through the use of a script, It uses python Script or binary assassinate to settle events with field values from an external source.
KV Store lookups Table File
It is used to match the field in your events to the field in KV Store collection and give output resembling to fields in that collection to your events. It used mostly when you have large lookup table (Lookup in Splunk).
Geospatial lookups Table File
It is used for matching the location of coordinates in your events to geographic feature collection in a KMZ or KML file and gives output those filed to your events that give related geographic feature information encoded in KMZ or KML like states name etc.
How to Create a Lookup Table File in Splunk using CSV type
- From the Search app, select Settings > Lookups.
- Select Add new for Lookup table files.
- Select search for the destination app.
- Browse for the CSV file that you downloaded earlier.
- Name the lookup table HTTP status.
- Click Save.
Prerequisites
- From Settings > Lookups, select Add new for Lookup definitions.
- Select search for the Destination app.
- Name your lookup definition HTTP status.
- Select File-based under Type.
- Click Save.
Conclusion
In this article we have discussed Lookup Table Files in Splunk (Lookup in Splunk) and its types. All lookup types use lookup tables, but only two lookup types require that you upload a lookup table file: CSV lookups and geospatial lookups.