Can someone help me understand the syntax and fiel...

janiceb · ‎06-28-2016

Hello All,

I am going over one of the recipes in the online Splunk Book, pages 113 and 114. The example is solving the problem of using an explicit lookup and the eval coalesce command to provide a default field value if the event's value is not in the lookuptable.

The example they provided is:

.....| lookup mylookup ip | eval domain=coalesce(domain, "unknown")

It is said that the mylookup file has two fields of "host" and "machine_type".

I am assuming that the .... before the | lookup command should be the sourcetype that contains the events, for example, sourcetype=bro_http. Is this correct?
I would like to know what the ip after the mylookup command is supposed to represent. Is this supposed to be a field name that exists in our event data, or is it supposed to be an actual IP since the example said that we are looking for an event's value?
I would like to know where does the domain field name come from? Is this supposed to be a field name in the source event data?

Thanks,

Janice

woodcock · ‎06-28-2016

3 Answers:

1: Almost: it actually is your fully qualified base search which should almost always include index=and usually also sourcetype=.
2: The field ip is a field in your raw events that has dotted-quad IPv4 addresses in it.
3: Without having the workbook, it is hard to say, but the bottom line is, it does not matter; it just has to exist or come from somewhere and for the purposes of learning, it makes no difference at all. It does NOT come automatically, though, like source and host.

janiceb · ‎06-29-2016

Thanks Woodcock, for providing an answer. I am going to play around with this a bit more with real examples and see what happens.

Can someone help me understand the syntax and fields in this lookup search example from the online Splunk Book?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk