Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

¿How to make a query using a lookup table and indexed data?

fvasquezchacon
Path Finder
‎12-16-2014 11:38 AM

Hi!

I would like to make a query using data in a lookup table and indexed data. The issue is the following:

I have a csv lookuptable uploaded on Splunk. It has 2 columns, Host and Device Type. On the other hand, indexed data to a UDP port from many hosts. I would like to make any report or dashboard filtering by Device Type linking the host in the logs with the classification in the lookup table. ¿How can I make it?

Thanks in advance!

Tags (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎12-16-2014 03:02 PM

Hi !

There are multiple ways to do this!

1.) Using the lookup command

… | lookup your_csv_file Host as host OUTPUT Host, “Device Type” | table host “Device Type”

The problem with this approach is that it needs to be used on every search... So it isn't persistent.

2.) Automatic Lookup and Lookup definition

See this tutorial here and check out this documentation too!

View solution in original post

Reply
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎12-16-2014 03:02 PM

Hi !

There are multiple ways to do this!

1.) Using the lookup command

… | lookup your_csv_file Host as host OUTPUT Host, “Device Type” | table host “Device Type”

The problem with this approach is that it needs to be used on every search... So it isn't persistent.

2.) Automatic Lookup and Lookup definition

See this tutorial here and check out this documentation too!

Reply
Solved! Jump to solution

fvasquezchacon
Path Finder
‎12-18-2014 12:08 PM

Thanks for the answer!

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎12-17-2014 11:39 AM

If you set up the automatic lookup that I outlined above, filtering for device type is as easy as

source="UDP:514" Device_Type=ISAM
Reply
Solved! Jump to solution

fvasquezchacon
Path Finder
‎12-17-2014 05:54 AM

Hi!

Thanks for the answer. It was close to what I am looking for, but I think I didn't explain my issue well enough.

Here is an example of the lookup table (in csv) I uploaded to Splunk:

Host,Device_Type
172.20.77.100,ISAM
172.20.77.101,ISAM
172.20.77.102,MKX
172.20.77.103,MKX

And the index data is coming to a specific port (UDP: 514) of Splunk, so I can recognize the IP (Host) of each Device. In the Data Summary Button, Host Tab, I have the indexed data coming from many hosts which ones are classified in the csv file. What I am looking for is query that begins with the following:

source="udp:514" | "command_to_filter_the_ISAM_devices_for_example"

I would like a command that allows me to only show the index data of the ISAM devices, for example, in order to make a dashboard of this devices only or a way to do something similar. ¿Can you help me with this?

Thanks in advance!

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top