Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Lookup in the Index Time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lookup in the Index Time
Hi,
I have a file coming from the source ( UF ) in which I am getting two fields ( IP and PORT ) , Now I have a lookup file also in which I have four additional fields ( IP, NAME,SOURCE,DESTINATION).
Question is : I dont want to index the source file as it is rather I would like to do the lookup before the data gets stored in the indexer.
Once the lookup is done based on the IP present in the Lookup file as well as the source file, I will have the complete set of data for all the matched IPs, that data I want to index in the indexer.
Kindly help !!
Cheers,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create a app in indexer ,
$SPLUNK_HOME$/etc/(apps OR master-apps)/yourapp/lookups/
yourlookup.csv should be reside in this folder.
$SPLUNK_HOME$/etc/(apps OR master-apps)/yourapp/local/transforms.conf
[yourlookup]
filename=yourlookup.csv
$SPLUNK_HOME$/etc/(apps OR master-apps)/yourapp/local/props.conf
[sourcetype set in UF]
LOOKUP-test = yourlookup IP as IP OUTPUTNEW NAME SOURCE DESTINATION
i hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Amazing reply !! but the entire field is coming ( showing in the indexer ), but when I search for the same index with the sourcetype in the search head , those extra lookup(ed) fields are not showing !! I want to get (see) the data in the search head !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ah okay..
[sourcetype set in UF]
LOOKUP-test = yourlookup IP as IP OUTPUTNEW NAME as lname, SOURCE as lsource, DESTINATION as ldest
EVAL-name = lname
EVAL-source= lsource
EVAL-dest = ldest
If above thing haven't work, then do the same steps in search head as well. Path will be little different
1) Deployer - $SPLUNK_HOME$/etc/shcluster/apps/yourapp/local/
2) Standalone SH - $SPLUNK_HOME$/etc/apps/yourapp/local
/lookups/
yourlookup.csv should be reside in this folder.
/transforms.conf
[yourlookup]
filename=yourlookup.csv
/props.conf
[sourcetype set in UF]
LOOKUP-test = yourlookup IP as IP OUTPUTNEW NAME SOURCE DESTINATION
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
