Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

¿How to make a query using a lookup table and indexed data?

fvasquezchacon
Path Finder
‎12-16-2014 11:38 AM

Hi!

I would like to make a query using data in a lookup table and indexed data. The issue is the following:

I have a csv lookuptable uploaded on Splunk. It has 2 columns, Host and Device Type. On the other hand, indexed data to a UDP port from many hosts. I would like to make any report or dashboard filtering by Device Type linking the host in the logs with the classification in the lookup table. ¿How can I make it?

Thanks in advance!

Tags (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎12-16-2014 03:02 PM

Hi !

There are multiple ways to do this!

1.) Using the lookup command

… | lookup your_csv_file Host as host OUTPUT Host, “Device Type” | table host “Device Type”

The problem with this approach is that it needs to be used on every search... So it isn't persistent.

2.) Automatic Lookup and Lookup definition

See this tutorial here and check out this documentation too!

View solution in original post

Reply
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎12-16-2014 03:02 PM

Hi !

There are multiple ways to do this!

1.) Using the lookup command

… | lookup your_csv_file Host as host OUTPUT Host, “Device Type” | table host “Device Type”

The problem with this approach is that it needs to be used on every search... So it isn't persistent.

2.) Automatic Lookup and Lookup definition

See this tutorial here and check out this documentation too!

Reply
Solved! Jump to solution

fvasquezchacon
Path Finder
‎12-18-2014 12:08 PM

Thanks for the answer!

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎12-17-2014 11:39 AM

If you set up the automatic lookup that I outlined above, filtering for device type is as easy as

source="UDP:514" Device_Type=ISAM
Reply
Solved! Jump to solution

fvasquezchacon
Path Finder
‎12-17-2014 05:54 AM

Hi!

Thanks for the answer. It was close to what I am looking for, but I think I didn't explain my issue well enough.

Here is an example of the lookup table (in csv) I uploaded to Splunk:

Host,Device_Type
172.20.77.100,ISAM
172.20.77.101,ISAM
172.20.77.102,MKX
172.20.77.103,MKX

And the index data is coming to a specific port (UDP: 514) of Splunk, so I can recognize the IP (Host) of each Device. In the Data Summary Button, Host Tab, I have the indexed data coming from many hosts which ones are classified in the csv file. What I am looking for is query that begins with the following:

source="udp:514" | "command_to_filter_the_ISAM_devices_for_example"

I would like a command that allows me to only show the index data of the ISAM devices, for example, in order to make a dashboard of this devices only or a way to do something similar. ¿Can you help me with this?

Thanks in advance!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...