Configuring a simple field lookup
In this section, we will configure a simple Splunk lookup.
Defining lookups in Splunk Web
You can set up a lookup using the Lookups page (in Splunk Web) or by configuring stanzas in the props.conf and transforms.conf files. Let's take the easier approach first and use the Splunk Web interface.
Before we begin, we need to establish our lookup table that will be in the form of an industry standard comma separated file (CSV). Our example is one that converts business unit codes to a more user-friendly business unit name. For example, we have the following information:
|
Business unit code |
Business unit name |
|---|---|
|
999999 |
Corporate office |
|
VA0133SPS001 |
South-western |
|
VA0133NLR001 |
North-east |
|
685470NLR001 |
Mid-west |
In the ...
Get Mastering Splunk now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
