Lookup in Splunk : To make enrich your data Splunk software gives one of the best Feature called Lookup, Lookup help us to add completely new field, from other files if data is matched with your fields. Standard lookups take fields out of table than it checks either fields are matching or not if yes than it add them to our events.
Splunk uses lookups table files to match field-value combinations in your event data with field-value combinations in external lookup tables.
If Splunk finds those field-value combinations in your lookup table file, Splunk will append the corresponding field-value combinations from the table to the events in your search.
Lookup table files are files that contain a lookup table. A standard lookup pulls fields out of this table and adds them to your events when corresponding fields in the table are matched in your events.
All lookup types use lookup tables, but only two lookup types require that you upload a lookup table file: CSV lookups and geospatial lookups. A single lookup table file can be used by multiple lookup definitions.
Create Lookup in Splunk
The files containing table of views that files are said to be Lookup Table Files, that file mostly used for mapping of fields and fields values and to match the field value alloy in your event data with field value combination in other or external lookups tables. If the field values combination matches than it will append the corresponding field-value alloys from the table to the events in your search.
Lookup Table Files Definitions
(Lookup in Splunk) Lookup definitions gives us lookup names and way or path to find the lookup table file. Lookup definitions contain restrictions and matching rule extra setting on fields that are going to be matched. Each lookup type requires lookup definition.
Lookup Table File Types
CSV lookups Table File
It is file-based lookup type that used to match the field-value from events to field-value in static table to present again by CSV file. These lookups are pertained as static lookups. It is good for the small set if data.
How to create CSV file
- Upload CSV file
- Share lookup table file
- Create lookup definition from lookup table file
External lookups Table File
It is script-based lookup table file because they are ease through the use of a script, It uses python Script or binary assassinate to settle events with field values from an external source.
KV Store lookups Table File
It is used to match the field in your events to field in KV Store collection and give output resembling to fields in that collection to your events. It used mostly when you have large lookup table (Lookup in Splunk).
Geospatial lookups Table File
It is used for matching the location of coordinates in your events to geographic feature collection in a KMZ or KML file and give output those filed to your events that give related geographic feature information encoded in KMZ or KML like states name etc.
How to Create a Lookup Table File in Splunk using CSV type
- From the Search app, select Settings > Lookups.
- Select Add new for Lookup table files.
- Select search for the destination app.
- Browse for the CSV file that you downloaded earlier.
- Name the lookup table HTTP status.
- Click Save.
- From Settings > Lookups, select Add new for Lookup definitions.
- Select search for the Destination app.
- Name your lookup definition HTTP status.
- Select File-based under Type.
- Click Save.
In this Article we have discussed Lookup Table Files in Splunk (Lookup in Splunk) and its types. All lookup types use lookup tables, but only two lookup types require that you upload a lookup table file: CSV lookups and geospatial lookups.