Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

¿How to make a query using a lookup table and indexed data?

fvasquezchacon
Path Finder
‎12-16-2014 11:38 AM

Hi!

I would like to make a query using data in a lookup table and indexed data. The issue is the following:

I have a csv lookuptable uploaded on Splunk. It has 2 columns, Host and Device Type. On the other hand, indexed data to a UDP port from many hosts. I would like to make any report or dashboard filtering by Device Type linking the host in the logs with the classification in the lookup table. ¿How can I make it?

Thanks in advance!

Tags (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎12-16-2014 03:02 PM

Hi !

There are multiple ways to do this!

1.) Using the lookup command

… | lookup your_csv_file Host as host OUTPUT Host, “Device Type” | table host “Device Type”

The problem with this approach is that it needs to be used on every search... So it isn't persistent.

2.) Automatic Lookup and Lookup definition

See this tutorial here and check out this documentation too!

View solution in original post

Reply
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎12-16-2014 03:02 PM

Hi !

There are multiple ways to do this!

1.) Using the lookup command

… | lookup your_csv_file Host as host OUTPUT Host, “Device Type” | table host “Device Type”

The problem with this approach is that it needs to be used on every search... So it isn't persistent.

2.) Automatic Lookup and Lookup definition

See this tutorial here and check out this documentation too!

Reply
Solved! Jump to solution

fvasquezchacon
Path Finder
‎12-18-2014 12:08 PM

Thanks for the answer!

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎12-17-2014 11:39 AM

If you set up the automatic lookup that I outlined above, filtering for device type is as easy as

source="UDP:514" Device_Type=ISAM
Reply
Solved! Jump to solution

fvasquezchacon
Path Finder
‎12-17-2014 05:54 AM

Hi!

Thanks for the answer. It was close to what I am looking for, but I think I didn't explain my issue well enough.

Here is an example of the lookup table (in csv) I uploaded to Splunk:

Host,Device_Type
172.20.77.100,ISAM
172.20.77.101,ISAM
172.20.77.102,MKX
172.20.77.103,MKX

And the index data is coming to a specific port (UDP: 514) of Splunk, so I can recognize the IP (Host) of each Device. In the Data Summary Button, Host Tab, I have the indexed data coming from many hosts which ones are classified in the csv file. What I am looking for is query that begins with the following:

source="udp:514" | "command_to_filter_the_ISAM_devices_for_example"

I would like a command that allows me to only show the index data of the ISAM devices, for example, in order to make a dashboard of this devices only or a way to do something similar. ¿Can you help me with this?

Thanks in advance!

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...