Lookups are a vital part of Splunk. This Splunk search command can be used to enrich data and provide critical insights into the events users are ingesting. Whether it be blacklisted IPs, geo-locations, or product information, you can utilize lookups to find outstanding issues or suspicious events in your environment.
Once your lookups are in Splunk, how do you tie them to our event data? Great question, there are several ways to do this. You might already be familiar with using the Splunk search command, join, to create a sub search, and use inputlookup to bring in the information from the lookup. But what if I told you there was a much easier, much more efficient way to do this?
TA-DA the lookup command. By using the lookup search command, you no longer have to worry about writing sub searches or having to use the join command at all. Instead, we can use this one-stop-shop command to easily integrate our lookup information to our data.
How To Use lookup
Let’s look at the syntax…
|lookup <lookup_name> <correlating field> OUTPUT <field> <field> ….<field>
- <lookup_name>- name of your lookup
- <correlating field> – this is a field or field values that match between both the event data and the lookup
- OUTPUT – required, everything after will be the fields that we are bringing over from the lookup
Then, check out these fields…
Example: This particular data set is product purchasing information from a web storefront. As we can see there are a lot of good fields pertaining to the total sales of a product. In this case, we have…
However, there are a few fields not listed that would really paint the full picture of sales performance through data. Think of fields like product_name and price. Fortunately, you can add a lookup to that information.
Once we’ve ingested the lookup into Splunk, we can start to use the lookup command to start bringing that data over to my event data. Check out this search to do just that.
<base_search>|lookup prices.csv productId OUTPUT product_name price
Then, run the search and take a look back at your fields. You can see that product_name and price our now fields that we can manipulate and search on.
Finally, with the lookup search command, you can see your data integrated with your lookup information.
Ask the Experts
If reading through this article… what other use cases might be in terms lookup? Take a look at Splunk Search Command of the week: iplocation, to read how to include geolocation information to your data.
Our Splunk Search Command of the Week series is created by our Expertise on Demand (EOD) experts. Every day, our team of Splunk certified professionals works with customers through Splunk troubleshooting support, including Splunk search command best practice. If you’re interested in learning more about our EOD service or chat with our team of experts, fill out the form below!