Splunk Search Command of the Week: lookup

 

Lookups are a vital part of Splunk. This Splunk search command can be used to enrich data and provide critical insights into the events users are ingesting. Whether it be blacklisted IPs, geo-locations, or product information, you can utilize lookups to find outstanding issues or suspicious events in your environment.

Once your lookups are in Splunk, how do you tie them to our event data? Great question, there are several ways to do this. You might already be familiar with using the Splunk search command, join, to create a sub search, and use inputlookup to bring in the information from the lookup. But what if I told you there was a much easier, much more efficient way to do this?

TA-DA the lookup command. By using the lookup search command, you no longer have to worry about writing sub searches or having to use the join command at all. Instead, we can use this one-stop-shop command to easily integrate our lookup information to our data.

How To Use lookup

Let’s look at the syntax…

|lookup <lookup_name> <correlating field> OUTPUT <field> <field> ….<field>
  • <lookup_name>- name of your lookup
  • <correlating field> – this is a field or field values that match between both the event data and the lookup
  • OUTPUT – required, everything after will be the fields that we are bringing over from the lookup

Then, check out these fields…

Figure 1 - List of field values

Figure 1 – list of field values

 

Example: This particular data set is product purchasing information from a web storefront. As we can see there are a lot of good fields pertaining to the total sales of a product. In this case, we have…

  • productId
  • action
  • status

However, there are a few fields not listed that would really paint the full picture of sales performance through data. Think of fields like product_name and price. Fortunately, you can add a lookup to that information.

Figure 2 - Adding lookup to fields

Figure 2 – Adding lookup to fields

lookup Results 

Once we’ve ingested the lookup into Splunk, we can start to use the lookup command to start bringing that data over to my event data.  Check out this search to do just that.

<base_search>|lookup prices.csv productId OUTPUT product_name price

Then, run the search and take a look back at your fields. You can see that product_name and price our now fields that we can manipulate and search on.

Figure 3 - Lookup results in searchable fields

Figure 3 – Lookup results in searchable fields

Finally, with the lookup search command, you can see your data integrated with your lookup information.

Ask the Experts

If reading through this article… what other use cases might be in terms lookup? Take a look at Splunk Search Command of the week: iplocation, to read how to include geolocation information to your data.

Our Splunk Search Command of the Week series is created by our Expertise on Demand (EOD) experts. Every day, our team of Splunk certified professionals works with customers through Splunk troubleshooting support, including Splunk search command best practice. If you’re interested in learning more about our EOD service or chat with our team of experts, fill out the form below!

Author

Start typing and press Enter to search