Solved: help me on how i can create lookup file in lookup ...

pacifikn · ‎11-13-2019

Greetings!!

help me on how i can create lookup file in lookup editor

I use to see a field called host that is identified by source IP and i want to add also another column that will describe that IP and its name is xyz name and i need to see by its name not only IP eg: if IP is 10.12.1.5 and the name ,how can you do it using lookup editor, kindly help me and guide me, I'm newest on splunk, Thank you!!

kartm2020 · ‎11-14-2019

Hi,
There are two steps you need to perform.
1. Uploading the lookup file
First you have to create the .csv where you need to fill the IP address in first column and name would be in the another column.
Go to lookups ->Lookup table files >> New lookup file
Give the name of the lookup filename. this name will be lookup name for splunk. filename should end with .csv

Creating automatic lookup: Once you are done with uploading the file. Next step is create automatic lookup. Go to lookups ->Automatic lookups >> New Automatic lookup Select the destination app and fill the name whichever you want. You have to select the lookup table which you have given previously(lookup filename) Give the source type which you want to apply this lookup Now, you have to fill the input and output field. In your example , IP address will be the input field and Name will be the output field. IPAddress = IPAddress Name=Name

Click save.

If you search with the sourcetype, you will get the new field with "Name"

Please let me know for any challenges.

View solution in original post

pacifikn · ‎11-15-2019

Thank you All!

Dear Kartm!

I was doing this steps with lookup editor app, and i was verified with this command in search& reporting : | inputlookup and filename.csv they returned the the values but the only problem is that i didn't find find how to change the column name , which is now displayed like this:

Column1 Column2

192.168.x.x Name_Ip1

x.x.x.x Name –IP2

As you see the table above the Column remain default , I WANT to change it by another column name not default one,

like IP and host name , this is what i want to put in instead of default one.

like this: IP hostname
x.x.x.x name of host of IP

Another question on this qns, is that i want always to see hostname values not only IP everytime i do a search where i see IP and i should also get its description here i mean logsourcename not only logsourceip?

kartm another thing is that i didnt do this step (Go to lookups ->Lookup table files >> New lookup file
Give the name of the lookup filename. this name will be lookup name for splunk. filename should end with .csv) i was only use the lookup editor app and next i did the second step for adding add Lookup Definition [Settings -- Lookups -- Lookup Definitions -- Add new] connected to the file of the new lookup.
* What to do next? is it necessary to Creating automatic lookup??????
*I need help and guidance on how i could get the results everytime i find where there is IP i should also get its description in Column2 which i also want to always have its name i named it not Column1 and Column2 i want to see IP and hostname.

Thank you!

kartm2020 · ‎11-14-2019

Hi,
There are two steps you need to perform.
1. Uploading the lookup file
First you have to create the .csv where you need to fill the IP address in first column and name would be in the another column.
Go to lookups ->Lookup table files >> New lookup file
Give the name of the lookup filename. this name will be lookup name for splunk. filename should end with .csv

Creating automatic lookup: Once you are done with uploading the file. Next step is create automatic lookup. Go to lookups ->Automatic lookups >> New Automatic lookup Select the destination app and fill the name whichever you want. You have to select the lookup table which you have given previously(lookup filename) Give the source type which you want to apply this lookup Now, you have to fill the input and output field. In your example , IP address will be the input field and Name will be the output field. IPAddress = IPAddress Name=Name

Click save.

If you search with the sourcetype, you will get the new field with "Name"

Please let me know for any challenges.

sanjeev543 · ‎11-14-2019

Hi,

First, you create a CSV file with the host names and IPs'
Then, go to settings and create a lookup file and upload the CSV file.
Next, you could use that lookup file to create a lookup definition or automatic lookup.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Usefieldlookupstoaddinformationtoyourev...

For creating automatic lookup

https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/DefineanautomaticlookupinSplunkWeb

Cheers,
Sanjeev

gcusello · ‎11-14-2019

Hi @pacifikn,
the easiest approach is to create a csv file in Excel avoiding spaces in field names in header.
Then you can open Lookup Editor and import file.
Then you have to add Lookup Definition [Settings -- Lookups -- Lookup Definitions -- Add new] connected to the file of the new lookup.

I don't know if your lookup needs special access rights, eventually analyze and manage this issue.

Ciao.
Giuseppe

help me on how i can create lookup file in lookup editor

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor