If you have events that include http_status = 503 you can have a lookup that finds the value of 503 in the lookup table column for the http_status field and pulls out the corresponding value for status_description in that lookup table. A single lookup table file can be used by multiple lookup definitions.įor example, say you have a CSV lookup table file that provides the definitions of http_status fields. A standard lookup pulls fields out of this table and adds them to your events when corresponding fields in the table are matched in your events.Īll lookup types use lookup tables, but only two lookup types require that you upload a lookup table file: CSV lookups and geospatial lookups. Lookup table files are files that contain a lookup table.
#Splunk lookup software#
Use a geospatial lookup to create a query that Splunk software uses to configure a choropleth map. Use a KV Store lookup when you have a large lookup table or a table that is updated often.Ī Keyhole Markup Zipped (KMZ) or Keyhole Markup Language (KML), used to define boundaries of mapped regions such as countries, US states, and US counties.Ī geospatial lookup matches location coordinates in your events to geographic feature collections in a KMZ or KML file and outputs fields to your events that provide corresponding geographic feature information encoded in the KMZ or KML, like country, state, or county names. Matches fields in your events to fields in a KV Store collection and outputs corresponding fields in that collection to your events. Uses Python scripts or binary executables to populate your events with field values from an external source. See About datasets.Īn external source, such as a DNS server. Use CSV lookups when you have small sets of data that is relatively static.ĬSV inline lookup table files and inline lookup definitions that use CSV files are both dataset types. Each column in a CSV table is interpreted as the potential values of a field. Also referred to as a static lookup because CSV files represent static tables of data. Populates your events with fields pulled from CSV files. If you have Splunk Enterprise or Splunk Light and have access to the configuration files for your Splunk deployment, you can configure lookups by editing configuration files.
You can create lookups in Splunk Web through the Settings pages for lookups. If Splunk software finds those field-value combinations in your lookup table, Splunk software will append the corresponding field-value combinations from the table to the events in your search. Splunk software uses lookups to match field-value combinations in your event data with field-value combinations in external lookup tables. Lookups enrich your event data by adding field-value combinations from lookup tables.
0 kommentar(er)
