Solved: How to incorporate a Lookup in search?

tkerr1357 · ‎02-10-2022

Hi all,

I am struggling a bit with incorporating a lookup into my searches. I have a lookup file that is a single column of IP addresses and a header of TORIP. It should be a pretty basic search index=* src_ip=* followed by the lookup. I added the lookup file and lookup definition but when I run a search it fails saying the lookup table doesnt exist.

tkerr1357 · ‎02-11-2022

Thank you, I was able to figure out the issue. I failed to place an OUTPUT ofter defining the field so there was nothing for the search to look at. I fixed that and then added a search command to look for any of the IPs in the lookup command.

View solution in original post

yuanliu · ‎02-10-2022

After uploading TORIP.csv, did you define a lookup with it? (C.f., Define a CSV lookup in Splunk Web.) When I use a file named "foo.csv", I usually name the lookup "foo" to remind me that it is a necessary step.

ITWhisperer · ‎02-10-2022

Is the lookup visible to the user and is it in the same app or global?

tkerr1357 · ‎02-11-2022

Thank you, I was able to figure out the issue. I failed to place an OUTPUT ofter defining the field so there was nothing for the search to look at. I fixed that and then added a search command to look for any of the IPs in the lookup command.

How to incorporate a Lookup in search?

lookup

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

How to incorporate a Lookup in search?

lookup

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine