I have a lookup excel sheet with the application name, hostname, and IP address. I want to use it in a Splunk query and how shall I do it?
You should save your excel spreadsheet as a csv (comma-separated values) file, making sure to follow these guidelines:
Next, you'll need to upload the csv file to Splunk. You can do this by following these steps:
After the file is in Splunk, you should create a lookup definition. The details for that are here:
http://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Usefieldlookupstoaddinformationtoyoureve...
Once the lookup is properly defined, you can use these commands for interacting with it:
lookup - to consult the contents of the lookup file and use fields from the lookup to enrich your event data
inputlookup - to display the contents of the lookup file
outputlookup - to append to the lookup file or replace its contents entirely
I suggest you go through the Search Tutorial from the beginning. It includes a step for enriching data with a CSV lookup file.
You wanna read this chapter of the docs.
Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂