Hi guys..!!! We have come with another interesting Topic of Splunk. Today we gonna use lookup to search for data.

What is lookup?
CSV lookups are file-based lookups that match field values from your events to field values in the static table represented by a CSV file. The output corresponding field values from the table to your events. They are also referred to as static lookups. Let’s dive into this blog to implement lookup to search for data.

  • Lookup table files:-

      o    Lookup table files are files that contain a lookup table.
      o    A standard lookup pulls fields out of this table and adds them to your events when
            corresponding fields in the table are matched in your events.

  • Lookup definitions:-

     o    A lookup definition provides a lookup name and a path to find the lookup table.
     o    Lookup definitions can include extra settings such as matching rules, or restrictions on the
           fields that the lookup is allowed to match.
     o    One lookup table can have multiple lookup definitions.

How to Create Lookups

  • To upload a CSV file just go to settings >> in the knowledge section lookups 
  • The Lookups manager opens, where you can create new lookups or edit existing lookups.
  • Here we can upload a CSV file.
  • In the Lookups manager, locate Lookup table files.
  • In the Actions column click Add new.

Upload the lookup table file

  • The Destination app field specifies which app you want to upload the lookup table file to. To upload the file in the Search app, you do not need to change anything. The default value is search.
  • Under Upload a lookup file, click Choose File and browse for the csv file.
  • Under Destination filename, type CSV.

           o This is the name that you will use to refer to the file when you create a lookup definition.

  • Click on save.
  • Share that lookup file make it global go to permission 

Add the field lookup definition

  • It is not sufficient to share the lookup table file with an application. You must create a lookup definition from the lookup table file.
  • For Lookup definitions, click Add New.The Add new lookup definitions page opens, where you define the field lookup.
  • There is no need to change the Destination app setting.
  • Type a file name.
  • For Type, select File-based.A file-based lookup is typically a static table, such as a CSV file.
  • For Lookup file, select csv, which is the name of the lookup table file that you created.
  • Click on save.
  • Share that lookup defination make it global.

Automatic  Lookup

  • Use automatic lookups to apply a lookup to all searches at search time.
  • After you define an automatic lookup for a lookup definition, you do not need to manually invoke it in searches with the lookup command.
  • Go to the Settings >> Lookups view and select Add new for Automatic lookups.
  • In the Add new page:
  •  Select search for the Destination app.
  • Name the lookup.
  • Select lookup from the Lookup table drop down.
  • Apply the lookup to the sourcetype
  • Lookup input fields are the fields in your events that you want to match with the lookup table
  • Lookup output fields are the fields from the lookup table that you want to write to your events.
  • Click Save.
  • We have 3 commands inputlookup, lookup and outputlookup.

          Inputlookup :-
              o  Use the inputlookup command to search the contents of a lookup table. The lookup table
                can be a CSV lookup or a KV store lookup.
              o Ex:- |inputlookup test.csv|join type=left City [search index=main|table City ]|table City
              o In above query test.csv is a lookup which having the field City and in index main also we
               have City field by using this field we are getting pincode from lookup for that City.

          • Outputlookup :-
              o Writes search results to a static lookup table, or KV store collection, that you specify.

               • Ex:- | inputlookup newlookup.csv append=true | append=[|stats count |                                                 source=”vinay”,sourcetype=*1234|table source sourcetype] | outputlookup newlookup.csv

               • In above query newlookup.csv is a lookup which is having the field source and sourcetype

If you are still facing issue regarding lookup to search for data Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on 👍 Social Networks, happy Splunking >😉