Splunk Search

Can someone help me understand the syntax and fields in this lookup search example from the online Splunk Book?

janiceb
Path Finder

Hello All,

I am going over one of the recipes in the online Splunk Book, pages 113 and 114. The example is solving the problem of using an explicit lookup and the eval coalesce command to provide a default field value if the event's value is not in the lookuptable.

The example they provided is:

.....| lookup mylookup ip | eval domain=coalesce(domain, "unknown")

It is said that the mylookup file has two fields of "host" and "machine_type".

  1. I am assuming that the .... before the | lookup command should be the sourcetype that contains the events, for example, sourcetype=bro_http. Is this correct?
  2. I would like to know what the ip after the mylookup command is supposed to represent. Is this supposed to be a field name that exists in our event data, or is it supposed to be an actual IP since the example said that we are looking for an event's value?
  3. I would like to know where does the domain field name come from? Is this supposed to be a field name in the source event data?

Thanks,

Janice

0 Karma

woodcock
Esteemed Legend

3 Answers:

1: Almost: it actually is your fully qualified base search which should almost always include index=and usually also sourcetype=.
2: The field ip is a field in your raw events that has dotted-quad IPv4 addresses in it.
3: Without having the workbook, it is hard to say, but the bottom line is, it does not matter; it just has to exist or come from somewhere and for the purposes of learning, it makes no difference at all. It does NOT come automatically, though, like source and host.

0 Karma

janiceb
Path Finder

Thanks Woodcock, for providing an answer. I am going to play around with this a bit more with real examples and see what happens.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...