![]() Your_search_to_retrieve_values_needed | fields the_interesting_fieldsįirst, we told Splunk to retrieve the new data and retain only the fields needed for the lookup table. The basic procedure is to get the set of results you want to append to the lookup table, use inputlookup to append the current contents of the lookup, and use outputlookup to write the lookup. You might want to run a job every 15 minutes to look that up and update the lookup table with new users. Specifically, suppose you wanted to keep track of the last IP each user logged in from. For example, you want to create a single lookup table based on the results of multiple iterations of the same search. You need to append results to an existing lookup table. Putting it all together: … | table field1, field2 To solve the second problem, use the dedup command. Instead, we’ll use the table command to better limit the fields to what we explicitly specify. To handle the first problem, we won’t use the fields command because it’s inconvenient to remove internal fields. Second, of the fields you do care about, most likely there are duplicate values on the events retrieved. First, events have many fields, including internal fields like _raw, and _time, which you don’t want in your lookup table. You want to create a lookup table from search results. For example: 0_first_lookup = my_first_lookup A OUTPUT Bġ_second_lookup = my_second_lookup B OUTPUT C Creating a Lookup Table from Go to Manager > Lookups > Automatic lookups, and create two automatic lookups, making sure that the one to run later has a named value greater than the previous lookup name. It is imperative, however, that the lookups are run in the correct order, by using the alphanumeric precedence of property names. More interestingly, this can be done using automatic lookups, where this chaining happens automatically. For example, if a first lookup table takes values of field A and outputs values of field B, and a second lookup table takes values of field B and outputs values of field C: … | lookup my_first_lookup A | lookup my_second_lookup B You can do this manually by running sequential lookup commands. You need to look up a value in one lookup file and use a returned field value from that first lookup to do a second lookup using a different lookup file. | lookup dnslookup ip OUTPUTNEW hostname Using Multistep Lookups … | lookup dnslookup ip OUTPUTNEW hostname By using OUTPUTNEW instead of OUTPUT, the lookup will only run on events that have a null value for the hostname. We now perform the second, expensive lookup on events that have no hostname. If the lookup doesn’t match, the hostname field is null for that event. SolutionĪfter we’ve retrieved events, we do our initial lookup against local_dns.csv, a local lookup file: … | lookup local_dns ip OUTPUT hostname ![]() For example, look up an IP address in a table of common, well-known hosts and, if that fails for a given event, then and only then use a secondary, more expensive full DNS lookup. ![]() Splunk permits you to use reverse lookup searches, meaning you can search for the output value of an automatic lookup and Splunk can translate that into a search for the corresponding input fields of the lookup. You need to search for events based on the output of a lookup table. Go to Manager >Lookups > Lookup Definition > mylookup, select the Advanced options checkbox, and make the following changes: Set Minimum matches: 1 Using automatic lookups, there’s a setting for that. Using an explicit lookup, you can simply use the eval coalesce function: … | lookup mylookup ip | eval domain=coalesce(domain,”unknown”) You need a default field value if an event’s value is not in the lookup table. For example, … |outputlookup mytable.csv saves all the results into mytable.csv. This command outputs the current search results to a lookup table on disk. You might wonder how to create a lookup table. For example,… | inputlookup mylookup returns a search result for each row in the table mylookup, which has two field values: host and machine_type. ![]() This command returns the whole lookup table as search results. Automatic lookups, which are set up using Splunk Manager, match values implicitly. Using the lookup command matches values in external tables explicitly. For example, an event with a host field value and a lookup table that has a host and machine_type rows, specifying …| lookup mylookup host adds the machine_type value corresponding to the host value to each event.īydefault, matching is case-sensitive and does not support wildcards, but you can configure these options. lookupįor each event, this command finds matching rows in an external CSV table and returns the other column values, enriching the events. These recipes extensively use three lookup search commands: lookup, inputlookup, and outputlookup. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |