29 Apr How to use Lookup to Search for Data
Here is another interesting topic related to Splunk. Today let’s see how to use the lookup to search for data.
What is a lookup?
CSV lookups are based on files that match values of the field from your events to values of a field in the static table shown by a CSV file. They output relative field values from the table to the events of yours. They are also called as static lookups.
· Lookup table files:-
o Lookup table files consist of a lookup table.
o A standard lookup extracts fields from this table and puts them in your events when the table’s corresponding fields match your events.
· Lookup definitions:-
o A lookup definition offers a name and path to search the lookup table.
o Lookup definitions consist of additional settings like matching rules or limitations on the fields that the lookup can match with.
o A lookup table can have many lookup definitions.
How One can Create Lookups?
- A CSV file is uploaded by just going to settings >> in knowledge section>> lookups
- You can create a new lookup or edit an existing lookup when the lookups manager opens.
- Here, we shall upload a CSV file.
- In the lookups manager, click lookup table files.
- Under the Actions column select Add new.
How to Upload the Lookup Table File?
- The Destination app parameter mentions to which app one has to upload the lookup table file. You do not have to alter anything to upload a file in the Search app. Search is the value.
- In Upload a lookup file, select Choose File and search for the CSV file.
- In Destination filename, type as CSV.
- This is the name one will use to cite to the file while creating a lookup definition.
- Click save.
- Share the lookup file and make it global by changing the permissions.
How to Add Field Lookup Definition?
- It is insufficient to share the lookup table file with another application. Hence you need to create a lookup definition from the lookup table file.
- To get lookup definitions, choose Add New. In this lookup definitions page, you can define the field lookup.
- The Destination app setting can remain unaltered.
- Type a file name.
- For Type, choose File-based. A file-based lookup is usually a static table, like a CSV file.
- For Lookup file, choose CSV, the lookup table file that you generated.
- Click save.
- Share the lookup definition and make it global.
Automatic Lookup
- To pertain a lookup to all searches during search time, use automatic lookups.
- You do not have to manually invoke an automatic lookup in searches along with the lookup command, after defining it for a lookup definition.
- Under Settings >> choose Lookups view and click Add new to get Automatic lookups.
- Under Add new page:
- Choose to search for the Destination app.
- Add a name to the lookup.
- Choose lookup from the Lookup table drops down.
- Apply the chosen look up to the source type
- Fields in the lookup input are the fields in your events which you want to twin with the lookup table.
- Fields in the Lookup output are the lookup table fields that you want to copy to your events.
- Click on Save.
There are 3 commands lookup, input lookup, and output lookup.
• Input lookup:-
o Make use of the input lookup command to find the lookup table contents. The lookup table can have a KV store lookup or a CSV lookup.
o Ex:- |inputlookup test.csv|join type=left City [search index=main|table City ]|table City
Pin code
o In the above query test.csv is a lookup that has the field City and in the index main also has field City. With this field, we get pin code from lookup for a City.
• Outputlookup:-
o It writes the search results to a KV store collection or a static lookup table that you specify.
• Ex:- | inputlookup newlookup.csv append=true | append=[|stats count | source=”vinay”,sourcetype=*1234|table source sourcetype] | outputlookup newlookup.csv
• In the above query newlookup.csv is the lookup that has the field source and source type
If you still face issues in this topic feel free to post your queries in the Comment Box below and for more interesting topics follow us on 👍 Social Networks. Happy Splunking
