Splunk Search

¿How to make a query using a lookup table and indexed data?

fvasquezchacon
Path Finder

Hi!

I would like to make a query using data in a lookup table and indexed data. The issue is the following:

I have a csv lookuptable uploaded on Splunk. It has 2 columns, Host and Device Type. On the other hand, indexed data to a UDP port from many hosts. I would like to make any report or dashboard filtering by Device Type linking the host in the logs with the classification in the lookup table. ¿How can I make it?

Thanks in advance!

Tags (5)
0 Karma
1 Solution

aljohnson_splun
Splunk Employee
Splunk Employee

Hi !

There are multiple ways to do this!

1.) Using the lookup command

… | lookup your_csv_file Host as host OUTPUT Host, “Device Type” | table host “Device Type”

The problem with this approach is that it needs to be used on every search... So it isn't persistent.

2.) Automatic Lookup and Lookup definition

See this tutorial here and check out this documentation too!

View solution in original post

aljohnson_splun
Splunk Employee
Splunk Employee

Hi !

There are multiple ways to do this!

1.) Using the lookup command

… | lookup your_csv_file Host as host OUTPUT Host, “Device Type” | table host “Device Type”

The problem with this approach is that it needs to be used on every search... So it isn't persistent.

2.) Automatic Lookup and Lookup definition

See this tutorial here and check out this documentation too!

fvasquezchacon
Path Finder

Thanks for the answer!

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

If you set up the automatic lookup that I outlined above, filtering for device type is as easy as

source="UDP:514" Device_Type=ISAM

fvasquezchacon
Path Finder

Hi!

Thanks for the answer. It was close to what I am looking for, but I think I didn't explain my issue well enough.

Here is an example of the lookup table (in csv) I uploaded to Splunk:

Host,Device_Type
172.20.77.100,ISAM
172.20.77.101,ISAM
172.20.77.102,MKX
172.20.77.103,MKX

And the index data is coming to a specific port (UDP: 514) of Splunk, so I can recognize the IP (Host) of each Device. In the Data Summary Button, Host Tab, I have the indexed data coming from many hosts which ones are classified in the csv file. What I am looking for is query that begins with the following:

source="udp:514" | "command_to_filter_the_ISAM_devices_for_example"

I would like a command that allows me to only show the index data of the ISAM devices, for example, in order to make a dashboard of this devices only or a way to do something similar. ¿Can you help me with this?

Thanks in advance!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...