Splunk lookup

The Lookup Command to invoke field value lookups. The lookup does not need to be defined in props.conf or transforms.conf for you to use this command, but lookup table you reference must be uploaded to Splunk Enterprise.

This command to manually invoke lookup definitions that exist in transforms.conf. If you have automatic lookups configured in the props.conf file, the lookup command does not use any of those settings. See"Lookup fields from external data sources," in the Knowledge Manager Manual.

-In the Splunk bar, on the upper right, click Settings.

-Under Knowledge, click Lookups.

Create new lookups or edit existing ones. You can view and edit existing lookups by clicking on the links in the table for Lookup table files, Lookup definitions, and Automatic lookups. To add new lookups, click Add new under Actions for that lookup item.

Lookup Table file

Lookups manager under "Actions" for Lookup table files, click Add new.

To save your lookup table file in the Search app, leave the Destination app as search.

 Upload a lookup file, browse for the CSV file (prices.csv) to upload.

 Destination filename, name the file prices.csv.

This is the name you use to refer to the file in a lookup definition.

This uploads your lookup file to the Search app and returns to the lookup table files list.

Interested in mastering Splunk Certification? Enroll now for FREE demo on Splunk Training.

Syntax

lookup [local=<bool>] [update=<bool>] <lookup-table-name> ( <lookup-field> [AS <local-field>] ) ( OUTPUT | OUTPUTNEW <lookup-destfield> [AS <local-destfield>] )

Required arguments

<lookup-table-name>

Syntax: <string>

Description: Refers to a stanza name in transforms.conf. This stanza specifies the location of the lookup table file.

Optional arguments

local

Syntax: local=<bool>

Description: If local=true, forces the lookup to run locally and not on any remote peers.

Default: false

update

Syntax: update=<bool>

Description: If the lookup table is modified on disk while the search is running, real-time searches will not automatically reflect the update. To do this, specify update=true. This does not apply to non-real-time searches. This implies that local=true.

Default: false

<local-destfield>

Syntax: <string>

Description: Refers to the field in the local event, defaults to the value of <lookup-destfield>. Multiple <local-destfield> values can be specified.

<local-field>

Syntax: <string>

Description: Refers to the field in the local event, defaults to the value of <lookup-field>. Multiple <local-field> values can be specified.

<lookup-destfield>

Syntax: <string>

Description: Refers to a field in the lookup table to be copied to the local event. Multiple <lookup-destfield> values can be specified.

<lookup-field>

Syntax: <string>

Description: Refers to a field in the lookup table to match to the local event. Multiple <lookup-field> values can be specified.

For an Indepth knowledge on Splunk, click on below

• Splunk Extract Fields
• Splunk Timechart
• List of Splunk Commands
• Splunk Forwarder
• Splunk Interview Questions