- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create and manage lookup tables?
yeasuh
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
Splunk Employee
05-30-2023
10:22 AM
How to create and manage lookup tables?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Brett
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
SplunkTrust
07-19-2023
11:59 AM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RobertMarks
Observer
07-19-2023
11:50 AM
You can manage a lookup table in the settings tab. You can update or write to a lookup either by uploading them or using the "| outputlookup" command. You can also do this on the backend under the directory $SPLUNK_HOME/etc/system/lookups/ , or in $SPLUNK_HOME/etc/<app_name>/lookups/ if the lookup belongs to a specific app. You can also list lookups using the REST api
You can access your lookup table at the search bar using "| lookup" or "| inputlookup"
Additionally you can set automatic lookups under the fields options. These will apply to a sourcetype kind at search time like how a calculated field or field extraction would work.
data:image/s3,"s3://crabby-images/2f34b/2f34b8387157c32fbd6848ab5b6e4c62160b6f87" alt=""