Splunk Search

¿How to make a query using a lookup table and indexed data?

Path Finder

Hi!

I would like to make a query using data in a lookup table and indexed data. The issue is the following:

I have a csv lookuptable uploaded on Splunk. It has 2 columns, Host and Device Type. On the other hand, indexed data to a UDP port from many hosts. I would like to make any report or dashboard filtering by Device Type linking the host in the logs with the classification in the lookup table. ¿How can I make it?

Thanks in advance!

Tags (5)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

Hi !

There are multiple ways to do this!

1.) Using the lookup command

… | lookup your_csv_file Host as host OUTPUT Host, “Device Type” | table host “Device Type”

The problem with this approach is that it needs to be used on every search... So it isn't persistent.

2.) Automatic Lookup and Lookup definition

See this tutorial here and check out this documentation too!

View solution in original post

Splunk Employee
Splunk Employee

Hi !

There are multiple ways to do this!

1.) Using the lookup command

… | lookup your_csv_file Host as host OUTPUT Host, “Device Type” | table host “Device Type”

The problem with this approach is that it needs to be used on every search... So it isn't persistent.

2.) Automatic Lookup and Lookup definition

See this tutorial here and check out this documentation too!

View solution in original post

Path Finder

Thanks for the answer!

0 Karma

Splunk Employee
Splunk Employee

If you set up the automatic lookup that I outlined above, filtering for device type is as easy as

source="UDP:514" Device_Type=ISAM

Path Finder

Hi!

Thanks for the answer. It was close to what I am looking for, but I think I didn't explain my issue well enough.

Here is an example of the lookup table (in csv) I uploaded to Splunk:

Host,Device_Type
172.20.77.100,ISAM
172.20.77.101,ISAM
172.20.77.102,MKX
172.20.77.103,MKX

And the index data is coming to a specific port (UDP: 514) of Splunk, so I can recognize the IP (Host) of each Device. In the Data Summary Button, Host Tab, I have the indexed data coming from many hosts which ones are classified in the csv file. What I am looking for is query that begins with the following:

source="udp:514" | "command_to_filter_the_ISAM_devices_for_example"

I would like a command that allows me to only show the index data of the ISAM devices, for example, in order to make a dashboard of this devices only or a way to do something similar. ¿Can you help me with this?

Thanks in advance!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!