Splunk lookup
The Lookup Command to invoke field value lookups. The lookup does not need to be defined in props.conf or transforms.conf for you to use this command, but lookup table you reference must be uploaded to Splunk Enterprise.
This command to manually invoke lookup definitions that exist in transforms.conf. If you have automatic lookups configured in the props.conf file, the lookup command does not use any of those settings. See"Lookup fields from external data sources," in the Knowledge Manager Manual.
-In the Splunk bar, on the upper right, click Settings.
-Under Knowledge, click Lookups.
Create new lookups or edit existing ones. You can view and edit existing lookups by clicking on the links in the table for Lookup table files, Lookup definitions, and Automatic lookups. To add new lookups, click Add new under Actions for that lookup item.
Lookup Table file
Lookups manager under "Actions" for Lookup table files, click Add new.
To save your lookup table file in the Search app, leave the Destination app as search.
Upload a lookup file, browse for the CSV file (prices.csv) to upload.
Destination filename, name the file prices.csv.
This is the name you use to refer to the file in a lookup definition.
This uploads your lookup file to the Search app and returns to the lookup table files list.
Interested in mastering Splunk Certification? Enroll now for FREE demo on Splunk Training.
Syntax
lookup [local=<bool>] [update=<bool>] <lookup-table-name> ( <lookup-field> [AS <local-field>] ) ( OUTPUT | OUTPUTNEW <lookup-destfield> [AS <local-destfield>] )
Required arguments
<lookup-table-name>
Syntax: <string>
Description: Refers to a stanza name in transforms.conf. This stanza specifies the location of the lookup table file.
Optional arguments
- local
- Syntax: local=<bool>
- Description: If local=true, forces the lookup to run locally and not on any remote peers.
- Default: false
update
Syntax: update=<bool>
Description: If the lookup table is modified on disk while the search is running, real-time searches will not automatically reflect the update. To do this, specify update=true. This does not apply to non-real-time searches. This implies that local=true.
Default: false
<local-destfield>
Syntax: <string>
Description: Refers to the field in the local event, defaults to the value of <lookup-destfield>. Multiple <local-destfield> values can be specified.
- <local-field>
- Syntax: <string>
- Description: Refers to the field in the local event, defaults to the value of <lookup-field>. Multiple <local-field> values can be specified.
- <lookup-destfield>
- Syntax: <string>
- Description: Refers to a field in the lookup table to be copied to the local event. Multiple <lookup-destfield> values can be specified.
- <lookup-field>
- Syntax: <string>
- Description: Refers to a field in the lookup table to match to the local event. Multiple <lookup-field> values can be specified.
For an Indepth knowledge on Splunk, click on below
- Splunk Extract Fields
- Splunk Timechart
- List of Splunk Commands
- Splunk Forwarder
- Splunk Interview Questions
You liked the article?
Like : 0
Vote for difficulty
Current difficulty (Avg): Medium
About Author
Name
TekSlate is the best online training provider in delivering world-class IT skills to individuals and corporates from all parts of the globe. We are proven experts in accumulating every need of an IT skills upgrade aspirant and have delivered excellent services. We aim to bring you all the essentials to learn and master new technologies in the market with our articles, blogs, and videos. Build your career success with us, enhancing most in-demand skills in the market.
Stay Updated
Get stories of change makers and innovators from the startup ecosystem in your inbox