Databases Reference
In-Depth Information
Let's explain what happens at each step:
1. The initial search.
2. All event types that are tagged
actionable
are substituted. In this case, we
only have one, but if there were multiple, they would be combined with
OR
.
3. The definition of the event type
failed_admin_login
is expanded.
4. The definition of
failed_login
is expanded.
5. The definition of
login
is expanded.
6.
All values of
user
with the tag
admin
are substituted, separated by
OR
.
Any changes to tagged values or event type definitions will be reflected the next
time they are used in any search or report.
Using lookups to enrich data
Sometimes, information that would be useful for reporting and searching is not
located in the logs themselves, but is available elsewhere. Lookups allow us to
enrich data, and even search against the fields in the lookup as if they were part
of the original events.
The source of data for a lookup can be either a
Comma Separated Values
(
CSV
) file
or a script. We will cover the most common use of a CSV lookup in the next section.
We will cover scripted lookups in
Chapter 12
,
Extending Splunk
.
There are three steps for fully defining a lookup: creating the file, defining the lookup
definition, and optionally wiring the lookup to run automatically.
Defining a lookup table file
A lookup table file is simply a CSV file. The first line is treated as a list of field names
for all other lines.
Lookup table files are managed at
Manager
|
Lookups
|
Lookup table files
. Simply
upload a new file and give it a filename, preferably ending in
.csv
.
The lookup file
users.csv
is included in
ImplementingSplunkDataGenerator
:
user,city,department,state
mary,Dallas,HR,TX
jacky,Dallas,IT,TX
linda,Houston,HR,TX
Bobby,Houston,IT,TX
bob,Chicago,HR,IL
Search WWH ::
Custom Search