Databases Reference
In-Depth Information
•
Lookup file,
: We have chosen
users.csv
in this case.
•
Configure time-based lookup
: Using a time-based lookup, you can have
a value that changes at certain points in time while going forward. For
instance, if you built a lookup of what versions of software were deployed
to what hosts at what time, you could generate a report on errors or response
times by the software version.
•
Advanced options
: This simply exposes the remaining fields.
•
Minimum matches
: This defines the number of items in the lookup that
must be matched. With a value of
1
, the value of
Default matches
will be
used if no match is found.
•
Maximum matches
: This defines the maximum number of matches before
stopping. For instance, if there were multiple entries for each user in our
lookup file, this value would limit the number of rows that would be
applied to each event.
•
Default matches
: This value will be used to populate all fields from the
lookup when no match is found, and
Minimum matches
is greater than 0.
After clicking on
Save
, we can use our new lookup in the following manner:
sourcetype="impl_splunk_gen"
| lookup userslookup user
| stats count by user city state department
This will produce results as shown in the following screenshot:
Notice that
extrauser
now appears in the table since it has values for
city
,
state
,
and
department
.
Lookup tables have other features, including wildcard lookups, CIDR lookups, and
temporal lookups. We will use those features in later chapters.
Search WWH ::
Custom Search