Splunk Search

Can someone help me understand the syntax and fields in this lookup search example from the online Splunk Book?

janiceb
Path Finder

Hello All,

I am going over one of the recipes in the online Splunk Book, pages 113 and 114. The example is solving the problem of using an explicit lookup and the eval coalesce command to provide a default field value if the event's value is not in the lookuptable.

The example they provided is:

.....| lookup mylookup ip | eval domain=coalesce(domain, "unknown")

It is said that the mylookup file has two fields of "host" and "machine_type".

  1. I am assuming that the .... before the | lookup command should be the sourcetype that contains the events, for example, sourcetype=bro_http. Is this correct?
  2. I would like to know what the ip after the mylookup command is supposed to represent. Is this supposed to be a field name that exists in our event data, or is it supposed to be an actual IP since the example said that we are looking for an event's value?
  3. I would like to know where does the domain field name come from? Is this supposed to be a field name in the source event data?

Thanks,

Janice

0 Karma

woodcock
Esteemed Legend

3 Answers:

1: Almost: it actually is your fully qualified base search which should almost always include index=and usually also sourcetype=.
2: The field ip is a field in your raw events that has dotted-quad IPv4 addresses in it.
3: Without having the workbook, it is hard to say, but the bottom line is, it does not matter; it just has to exist or come from somewhere and for the purposes of learning, it makes no difference at all. It does NOT come automatically, though, like source and host.

0 Karma

janiceb
Path Finder

Thanks Woodcock, for providing an answer. I am going to play around with this a bit more with real examples and see what happens.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...