With the “ stats” command we have used two fields “ method” and “status”. In the above query “ _internal” is the index and “splunkd_ui_access” is the sourcetype. Įxample: index=_internal sourcetype=splunkd_ui_access | stats count by status method | lookup status_code.csv status_code as status OUTPUT status_information Field names of the lookup file which will add with event search result. Field name of event data which will be used to map with lookup file. Field name of lookup file which will be used to map with event data. This is the only required argument in this command. NOTE: BOLDS are only required arguments - Name of the lookup file which you want to read. Lookup: Use to add fields from the lookup file file into your search result. This is the only required argument in this command.Īs you know in the previous step we uploaded a lookup file name “ status_code.csv”, by using the “ inputlookup” command we are viewing the content of that lookup file as simply as you see. NOTE: BOLDS are only required arguments or - Name of the lookup file which you want to read. Inputlookup – To read a lookup file or to see the contents of a lookup file.You can also know about : How To Find The Missing Values Of A Field By Comparing A Lookup File Important Commands and functions to interact with lookups in Splunk: In this way you can upload any lookup file in Splunk. Destination app : Upload a lookup file : Destination filename : Then it will open the dialog box to upload the lookup file. Then click on Lookup table filesand New Lookup Table file. Then go to the Settings and click on Lookups Log in to your Splunk instance with your credentials. Suppose we have a csv file which consist two field, “ status_code” and “ status_information” it’s basically giving us all HTTP response status codes like 402 is for “ Payment Required”, 403 is for “ Forbidden” and 404 is for “ Page Not Found” etc. Let’s take an example, Suppose you have “ emp_name” and “ age” in your index but you don’t have “ country” name of all employees, but you have a csv file where all the “ country” and “ emp_name” are stored, so in that case you can use that csv file as lookup file to add “country” in your Splunk result where we will use “ emp_name” field as a mapping field because that is the common field we have in both the places.Īt first we will start with creating a lookup file in Splunk. Basically it enriches our data by adding some externals data. Splunk Lookup helps us in adding a complete new field, from an external source based on the value that matches your field in the event data. LOOKUPS – LOOKUP TABLE FILES ( PART – 1 )Ī lookup table or file is one of the most important portions in Splunk, which is mainly use for mapping of fields and field-values.
0 Comments
Leave a Reply. |