Databases Reference
In-Depth Information
Defining an automatic lookup
Automatic lookups are, in this author's opinion, one of the coolest features in Splunk.
Not only are the contents of the lookup added to events as if they were always there,
but you can also search against the fields in the lookup file as if they were part of the
original event.
To define the automatic lookup, navigate to
Manager
|
Lookups
|
Automatic
lookups
and click on the
New
button:
Let's step through the fields in this definition:
•
Destination app
: This is the application where the definition will live. We'll
discuss the implications of this choice in
Chapter 7
,
Working with Apps
.
•
Name
: This name is used in the configuration. It should not contain spaces
or special characters. We will discuss its significance in
Chapter 10
,
Configuring Splunk
.
•
Lookup table
: This is the name of the lookup definition.
•
Apply to
: This lets us choose which events are acted upon. The usual case
is
sourcetype
, which must match a sourcetype name exactly. Alternatively,
you can specify
source
or
host
, with or without wildcards.
Search WWH ::
Custom Search