Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can someone help me understand the syntax and fields in this lookup search example from the online Splunk Book?

janiceb
Path Finder
‎06-28-2016 01:07 PM

Hello All,

I am going over one of the recipes in the online Splunk Book, pages 113 and 114. The example is solving the problem of using an explicit lookup and the eval coalesce command to provide a default field value if the event's value is not in the lookuptable.

The example they provided is:

.....| lookup mylookup ip | eval domain=coalesce(domain, "unknown")

It is said that the mylookup file has two fields of "host" and "machine_type".

  1. I am assuming that the .... before the | lookup command should be the sourcetype that contains the events, for example, sourcetype=bro_http. Is this correct?
  2. I would like to know what the ip after the mylookup command is supposed to represent. Is this supposed to be a field name that exists in our event data, or is it supposed to be an actual IP since the example said that we are looking for an event's value?
  3. I would like to know where does the domain field name come from? Is this supposed to be a field name in the source event data?

Thanks,

Janice

0 Karma
Reply

woodcock
Esteemed Legend
‎06-28-2016 01:26 PM

3 Answers:

1: Almost: it actually is your fully qualified base search which should almost always include index=and usually also sourcetype=.
2: The field ip is a field in your raw events that has dotted-quad IPv4 addresses in it.
3: Without having the workbook, it is hard to say, but the bottom line is, it does not matter; it just has to exist or come from somewhere and for the purposes of learning, it makes no difference at all. It does NOT come automatically, though, like source and host.

0 Karma
Reply

janiceb
Path Finder
‎06-29-2016 07:47 AM

Thanks Woodcock, for providing an answer. I am going to play around with this a bit more with real examples and see what happens.

0 Karma
Reply
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...