Understanding lookups in splunk :-
Lookups are very commonly used in splunk to enrich the data in splunk results .Lookup table/command correlate external information with search results. For example you are searching for user logging details in splunk and result shows username and login details as result, but you want to add department name of a user also in results which is not available in logs. In this situation we can create a lookup file and ask splunk to add data from lookup file to results to enrich our data. Also a very common scenario in which lookup is used when logs contain ip address of machine instead of hostname then we can use lookup table to map ip address to hostname.
There are two types of lookups commonly used in splunk as below:
CSV lookup -Populates your events with fields pulled from CSV files. Also referred to as a "static lookup" because CSV files represent static tables of data. Each column in a CSV table is interpreted as the potential values of a field.
External lookup -Uses Python scripts or binary executables to populate your events with field values from an external source.
Below we will see how can we create splunk lookup
Step by Step process to create splunk lookups:
1 Prepare you lookup file in CSV format.
Ensure you can open the file in EXCEL and no issues with delimiters.
You can also convert your file in CSV format using EXCEL and same can be used for lookup definition.
Create a csv file with headers. Bear in mind that the key you want to look up against (the first field) MUST be an existing field name in Splunk
Special Note:
column names i.e fist line words can not have “–“ hyphen , otherwise lookup’s do not work.
There are two types of lookups commonly used in splunk as below:
CSV lookup -Populates your events with fields pulled from CSV files. Also referred to as a "static lookup" because CSV files represent static tables of data. Each column in a CSV table is interpreted as the potential values of a field.
External lookup -Uses Python scripts or binary executables to populate your events with field values from an external source.
Below we will see how can we create splunk lookup
Step by Step process to create splunk lookups:
1 Prepare you lookup file in CSV format.
Ensure you can open the file in EXCEL and no issues with delimiters.
You can also convert your file in CSV format using EXCEL and same can be used for lookup definition.
Create a csv file with headers. Bear in mind that the key you want to look up against (the first field) MUST be an existing field name in Splunk
Special Note:
column names i.e fist line words can not have “–“ hyphen , otherwise lookup’s do not work.
Below is sample example file:
-----------------------------------------------------------------------------------
status_code,status_description,status_type
100,Continue,Informational
101,Switching Protocols,Informational
2010,OK,Successful
201,Created,Successful
202,Accepted,Successful
203,Non-Authoritative Information,Successful
204,NoContent,Successful
205,ResetContent,Successful
206,PartialContent,Successful
300,MultipleChoices,Redirection
301,MovedPermanently,Redirection
302,Found,Redirection
303,SeeOther,Redirection
304,NotModified,Redirection
305,UseProxy,Redirection
307,TemporaryRedirect,Redirection
400,BadRequest,Client Error
401,Unauthorized,Client Error
402,PaymentRequired,Client Error
403,Forbidden,Client Error
404,NotFound,Client Error
405,Method Not Allowed,Client Error
------------------------------------------------------------------------------------------------
2 Next, define your Lookup table file. Click “Lookup table file” and proceed
3 Upload Lookup table file. This file is saved on splunk server in dir: /opt/splunk/etc/users/admin/search/ http_status_code.csv
4 Create Lookup definition:
Select the proper app context and name of the lookup definition, this same name will be used in
lookup command.
lookup command.
5 Next step is, ensure you have some events with lookup key field in this case “status_code” field, this our 1st field in our file, refer to step 1.
In below search, we are extracting the field with the same name as the lookup key field “status_code”: if the extracted field and lookup key fields are different lookup will not work.
index=_internal | rex field=_raw "\"\s+(?<status_code>\d+)\s+\d+.*" | table status_code | lookup http_status_codestatus_code
In below search, we are extracting the field with the same name as the lookup key field “status_code”: if the extracted field and lookup key fields are different lookup will not work.
index=_internal | rex field=_raw "\"\s+(?<status_code>\d+)\s+\d+.*" | table status_code | lookup http_status_codestatus_code
Comment Box is loading comments...
Comment Box is loading comments...
