Log data can be filled with identification numbers, short codes, error numbers, or other values that don't always make the information easy to read or understand quickly.
This recipe will show you how to add a lookup table to your Operational Intelligence application so that when a product code field is present in an event, a description field can automatically be added and populated with the full description of that product.
To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time – Getting Data In. You should be familiar with navigating the Splunk user interface.
Follow the steps in this recipe to create an automatic product code lookup:
productdescriptions.csv
using your favorite text editor on your local computer and add the following lines, taking care to ensure that the commas are typed correctly:itemId,itemName,itemDescription 4728475,Rolux Navigator,Stylish men's watch with metal band 38492,Rolux Sportsman,Men's sport watch with timer 1000014,Ripple BookPro 13,13 inch laptop - 5PB HDD/200GB RAM 1000015,Ripple Jukebox 500,Portable music player - 984 hour battery life 1000016,Poku Castbox,Video streaming device - HDMI compatible 1000017,Ripple Jukebox 300,Music streaming device 300GB storage capacity 1000020,Ripple MyPhone 8,The latest phone from Ripple - 8 inch with 8TB of storage capacity
productdescriptions.csv
file that is provided.productdescriptions.csv
file.As the file is much smaller than the maximum 500 MB file size, we are able to upload it via the GUI without any issue.
productdescriptions.csv
and then click on Save.Product_Descriptions
, set the Type field to File-based, and select the productdescriptions.csv
file in the Lookup file field. Then, click on Save.log4j
sourcetype. Click on Lookups again.operational_intelligence
in the Destination app field and enter Product_Descriptions
in the Name field.log4j
in the named field.itemId
in both fields for Lookup input fields.itemDescription
to ProductDescription
and itemName
to ProductName
in Lookup output fields.index=main sourcetype="log4j" itemId=* | table itemId ProductDescription, ProductName
When you issue a search in Splunk, it checks its configuration to see if there are any lookups defined. If it finds a lookup that matches the appropriate host, source, or sourcetype for the events returned in the search, it takes the input fields that are defined and matches them against the data in the lookup file and the fields in the events. If the field values match, it adds the output fields from the lookup table to the events as the new fields, as defined.
There are many different configurations possible with lookup tables. For example, it is possible to have input field matches on more than one field, and you can have the output fields overwrite the fields that already exist in the search results.
In this recipe, we chose to implement an automatic lookup. Automatic lookups negate the need to explicitly use the lookup
command in your search but can carry a performance cost. For example, every search of the log4j
sourcetype will now perform this product lookup automatically, whether we need the fields and associated values returned from the lookup or not.
As with most configurations in Splunk, there is more than one way to do something. While the product lookup can be configured via the web interface, it can also be performed manually.
Follow the given steps to manually add the lookup to Splunk:
productdescriptions.csv
file to $SPLUNK_HOME/etc/apps/operational_intelligence/lookups
directory (create the lookups
directory if required).$SPLUNK_HOME/etc/apps operational_intelligence/local/transforms.conf
(create the local directory if required):[Product_Descriptions] filename = productdescriptions.csv
$SPLUNK_HOME/etc/apps operational_intelligence/local/props.conf
(create the local directory if required):[log4j] LOOKUP-Product_Descriptions = Product_Descriptions itemId AS itemId OUTPUTNEW itemDescription AS ProductDescription, itemName AS ProductName
3.145.163.58