All that machine generated information may be full of distinctive identifiers and result or status codes; (which may be effectual for processing and storage but not always easily understood by you or me).
To make your Splunk search results more “readable”, you may want to enhance those results to be more- more “user friendly”. This might be in the form of a description or perhaps a name.
“Lookups” in Splunk let you add fields to your search results containing facts from external sources such as a static table (a CSV file) or the dynamic result of a (Python command or Python-based) script.
Lookup tables use information within events or time information to define how to add other information from your previously defined external data sources.
So, let us ponder a really easy example of a Splunk Lookup – where the functionality would be a static lookup that:
- takes a “Business Unit” value in an event
- matches that value with the organizations “business unit name” in a CSV file and then
- adds that name to the event as the value of a new Business Unit Name field.
(So if you have an event where “Business Unit” = “999999”, the lookup would add “Business Unit Name” = “Corporate Office”to that event).
Of course, there are more advanced ways to work with lookups. For example, you can:
- arrange to have a static lookup table be populated by the results of a report.
- define a field lookup that is based on an external Python script
- create a time-based lookup, if you are working with a lookup table that includes a field value that represents time. For example, this could come in handy if you need to use DHCP logs to identify users on your network based on their IP address and the event timestamp.
So, here is an example. I have a search that creates a table based upon Cognos TM1 file extracts:
sourcetype=csv 2014 “Current Forecast” “Direct” “513500″ |
rename May as “Month” Actual as “Version” “FY 2012″ as Year 650693NLR001 as “Business Unit” 100000 as “FCST” “09997_Eliminations Co 2″ as “Account” “451200″ as “Activity” | eval RFCST= round(FCST) |
Table Month, “Business Unit”, RFCST
The table is created as:
Image may be NSFW.
Clik here to view.
Now we can add the lookup command to the search pipeline to convert the “Business Unit” into a “Business Unit Name”:
sourcetype=csv 2014 “Current Forecast” “Direct” “513500″ |
rename May as “Month” Actual as “Version” “FY 2012″ as Year 650693NLR001 as “Business Unit” 100000 as “FCST” “09997_Eliminations Co 2″ as “Account” “451200″ as “Activity” | eval RFCST= round(FCST) |
lookup BUtoBUName BU as “Business Unit” OUTPUT BUName as “Business Unit Name” | Table Month, “Business Unit”, “Business Unit Name”, RFCST
Using the lookup command in our Splunk search pipeline will now give us the “Business Unit Name” in our table:
Image may be NSFW.
Clik here to view.
Awesome! This is just a “first step” towards building more informative Splunk searches – but you get the idea.
More to come!