Splunk Search

lookup doubts

harshavrath
Contributor

Hi,

Need info on why lookup is necessary what is the use of it.

I have a scenario under which i have indexed 30 records from my Oracle DB into Splunk & have few log files which contain few attributes of the indexed data, My question is how can i link these two.

Please provide some video link or an PDF to refer.

Any Help is Appreciated,

Thanks.

Tags (3)
0 Karma

the_wolverine
Champion

You don't need DBX app to lookup unless you are looking up against an Oracle DB (or other DB). If you've got a csv to use as a lookup file that's all you need.

1) Generate the lookup file by running the following command in Splunk UI:

your search | table colA, colB, colC | outputlookup mylookup.csv

(Or, you could drop your comma delimited csv lookup file in $SPLUNK_HOME/etc/apps/search/lookups/mylookup.csv on your Splunk search head)

2) Use the lookup file by running:

your search for Oracle DB events | lookup my lookup.csv OracleColumn_Name as colA

You should see your Oracle DB events where OracleColumn_Name matches colA (in your lookup file) be enriched with values of colB and colC from your lookup file.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

You need the DBX app if you don't already have it:

http://apps.splunk.com/app/958/

Lookups are commonly used to enrich data. If you index a specific set of data, for example, an error code, but the error code description is not indexed you can create a csv lookup table and use the lookup table to add the error code description to the dashboard/Splunk report. If the lookup table happens to be inside a remote database, then you would use the app referenced above to create a database lookup table to perform the same task.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

Then you can schedule the index of the database information like you asked about in your other post, http://answers.splunk.com/answers/132502/automate-indexing, and then run a scheduled search against that to automatically create a lookup table using the Splunk command outputlookup. Then you can configure the local lookup table per the_wolverine's approach below.

0 Karma

harshavrath
Contributor

won't it be slow. I mean after i configured my Oracle DB i used dbquery to get the results from DB it takes very long time to fetch the results.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

Yes. You don't need to index a lookup table. Just index the logs, and then configure your field that you extract from the logs to map to a lookup that exists in the remote database.

0 Karma

harshavrath
Contributor

you mean I'm supposed to do it the other way, the reverse of what I'm doing.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee
0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

You should not have to index the data from a table in the database for you to use the information as a lookup table. Notice that after you setup DBX, that you can index some log file data like normal, and take any given field from the indexed data and then create a database lookup table to enrich the data. The new database lookup configuration is added after you installed the app. You can find it under the lookup table settings in the Manager UI. Then you can map a field to a field in a remote database table, and return with many other fields from that lookup.

0 Karma

harshavrath
Contributor

I have installed dbx & indexed few records from an table,i have an log file which i want to link to the indexed data.Is it possible..?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...