Databases Reference
In-Depth Information
With this file uploaded, we can immediately use it with the
lookup
command.
In the simplest case, the format of the
lookup
command is as follows:
lookup [lookup definition or file name] [matching field]
An example of its usage is as follows:
sourcetype="impl_splunk_gen"
| lookup users.csv user
We can now see all of the fields from the lookup file as if they were in the events:
We can use these fields in reports:
sourcetype="impl_splunk_gen"
| lookup users.csv user
| stats count by user city state department
This will produce results as shown in the following screenshot:
This is all that is required to use a CSV lookup to enrich data, but if we do a little
more configuration work, we can make the lookup even more useful.
Search WWH ::
Custom Search