Lookups – Lookup Definition and Automatic Lookup ( Part – 2 )
This is the continuation of our previous Lookup blog Lookup – Lookup Table Files ( Part – 1) . I will request you to go through that blog before starting this one.
In this blog we will cover “Lookup Definition and Automatic Lookup”.
Automatic lookups basically is a procedure to apply a lookup to all searches at search time. After creating an automatic lookup, don’t have to use lookup command to interact with lookup files or tables. To create any automatic lookup we need to create a lookup definition for that, which basically contains a lookup table or file name and a path to find that lookup file. One lookup table or file can have multiple lookup definitions. Also we can use that lookup definition file to access the lookup file’s contents as well.
Creating Lookup Definition:
Let’s start with creating a lookup definition for lookup table “status_code.csv” (which we had already uploaded while we were discussing about lookup table files in our previous blog which consist of two fields , “status_code” and “status_information” it’s basically giving us all HTTP response status codes like 402 is for “Payment Required”, 403 is for “Forbidden” and 404 is for “Page Not Found” etc.)
Log in to your Splunk instance with your credentials.
Then go to the Settings and click on Lookups
Then click on Lookup definitions and New Lookup Definition.
Then it will open the dialog box to upload the lookup file. Fill the all mandatory fields as shown
Destination App: <select the destination app name> Name: <name of the lookup definition> Type: <select file-based for CSV lookup> Lookup file: <select name of the lookup file for which you wanna create definition, from the dropdown. We will select “status_code.csv”>
And Save it
After creating it change the permission to global of the lookup definition.
NOTE: Permission of your lookup file needs to be global for creating lookup definitions. Otherwise it will through an error for the other users if we create a automatic lookup using this lookup definition file.
In this way you can create a lookup definition. Also you can access the lookup definition file using inputlookup command.
| inputlookup status_code_definitions
Creating Automatic Lookup:
Now we will create an automatic lookup.
Go to the Settings and click on Lookups and select Automatic Lookup.
And then click on New Automatic Lookup
Then it will open the dialog box to upload the lookup file. Fill the all mandatory fields as shown below.
Destination app: <app name> Name: <name of the automatic lookup> Lookup table: <select the lookup definition you just created from the dropdown> Apply to: <mention the host,source or sourcetype anything as you wish, it will only apply on that only> Named: <name of that metadata which you have selected previously> Lookup input fields: <common or mapping or matching field name of lookup> = <common or mapping or matching field name of event>. For example, you have a “name” field in event which is matching with “emp_name” in lookup so you will have to write, “emp_name=name” Lookup output fields: <field name from the lookup file that you want to as a output in events> = <field name, that will be shown in event data>. For example, In your lookup table has a field name “age” but in event you want to show that as “emp_age” so you have to write “age=emp_age”
And save it.
NOTE: You can add more than one “Lookup input fields” and “Lookup output fields” if you wish.
Now if you go to that sourcetype for which you saved that automatic lookup, in our case it is “sourcetype=splunkd_ui_access”. Then you will find the changes.
If you go to all fields then you will find a field called “Status_Information” is being created (which is a search time field). In that field you will only get those “Status_Information” values respect to the “status” field values, which is mapped with the “status_code” field from the lookup.
Now if you search this.
index=_internal sourcetype=splunkd_ui_access | stats count by status method,Status_Information
In the above query “_internal” is the index and “splunkd_ui_access” is the sourcetype. With the “stats” command we have used three fields “method”, “status” and “Status_Information” which is giving us the count of unique combinations of values from method,status,Status_Information fields.
As you know “Status_Information” was not there in our event , using automatic lookup we have created that field in search time. We can do this same stuff with the “lookup” command as we showed in our previous blog, but by creating automatic lookup you don’t have to invoke the “lookup” command.
Hope you have understood the topic Lookups – Lookup Definition and Automatic Lookup ( Part – 2 ).