K. SubramanianPractical Splunk Search Processing Languagehttps://doi.org/10.1007/978-1-4842-6276-4_6

6. Using Lookups

Karun Subramanian¹

(1)

Greater Minneapolis, MN, USA

So far, we’ve been learning how to make use of the machine data that’s already ingested in Splunk. SPL provides numerous commands to explore the data effectively. At times however, you may need to bring in external data into Splunk. For example, you may create a report of the top five user IDs that have the greatest number of login failures. The SPL might look like the following:

...| search status="denied" reason="incorrect password" | top 5 username

The result might look like the following:

username count

-------------------

jbarnes 1020

ksmith21 938 ...

Get Practical Splunk Search Processing Language: A Guide for Mastering SPL Commands for Maximum Efficiency and Outcome now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Practical Splunk Search Processing Language: A Guide for Mastering SPL Commands for Maximum Efficiency and Outcome by Karun Subramanian

6. Using Lookups

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly