Splunk Lookup Step by Step

Step by Step process to create splunk lookups:

1     Prepare you lookup file in CSV format.

Ensure you can open the file in EXCEL and no issues with delimiters.

You can also convert your file in CSV format using EXCEL and same can be used for lookup definition.

Special Note:

While working on lookups I observed that column names i.e fist line words can not have “–“ hyphen , otherwise lookup’s do not work.

Below is sample example file:

status_code,status_description,status_type

100,Continue,Informational

101,Switching Protocols,Informational

2010,OK,Successful

201,Created,Successful

202,Accepted,Successful

203,Non-Authoritative Information,Successful

204,NoContent,Successful

205,ResetContent,Successful

206,PartialContent,Successful

300,MultipleChoices,Redirection

301,MovedPermanently,Redirection

302,Found,Redirection

303,SeeOther,Redirection

304,NotModified,Redirection

305,UseProxy,Redirection

307,TemporaryRedirect,Redirection

400,BadRequest,Client Error

401,Unauthorized,Client Error

402,PaymentRequired,Client Error

403,Forbidden,Client Error

404,NotFound,Client Error

405,Method Not Allowed,Client Error

2     Next, define your  Lookup table file. Click “Lookup table file” and proceed

3      Upload Lookup table file.   This file is saved on splunk server in dir:  /opt/splunk/etc/users/admin/search/ http_status_code.csv

4      Create Lookup definition:

           Select the proper app context and name  of the lookup definition, this same name will be used in

lookup command.

5      Next step is, ensure you have some events with lookup key field in this case “status_code” field, this our 1^st field in our file, refer to step 1.

In below search, we are extracting the field with the same name as the lookup key field “status_code”: if the extracted field and lookup key fields are different lookup will not work.

index=_internal | rex field=_raw "\"\s+(?<status_code>\d+)\s+\d+.*" | table status_code | lookup http_status_codestatus_code