Though you can access a lookup immediately by the filename, defining the lookup allows you to set other options, reuse the same file, and later make the lookup run automatically. Creating a definition also eliminates a warning message that appears when simply using the filename.
Navigate to Settings | Lookups | Lookup definitions and click on the New button:
Stepping through these fields, we have the following:
- Destination app: This is where the lookup definition will be stored. This matters because you may want to limit the scope of a lookup to a particular application for performance reasons.
- Name: This is the name that you will use in search strings.
- Type: The options here are File-based or External. We will cover External, or scripted, in Chapter 13, Extending Splunk.
- Lookup file: We have chosen users.csv in this case.
- Configure time-based lookup: Using a time-based lookup, you can have a value that changes at certain points in time while going forward. For instance, if you built a lookup for the versions of software deployed to the various hosts at different times, you could generate a report on errors or response times by the software version.
- Advanced options: This simply exposes the remaining fields.
- Minimum matches: This defines the number of items in the lookup that must be matched. With a value of 1, the value of Default matches will be used if no match is found.
- Maximum matches: This defines the maximum number of matches before stopping. For instance, if there were multiple entries for each user in our lookup file, this value would limit the number of rows that would be applied to each event.
- Default matches: This value will be used to populate all fields from the lookup when no match is found and Minimum matches is greater than 0. After clicking on Save, we can use our new lookup in the following manner:
sourcetype="impl_splunk_gen_SomeMoreLogs" | lookup userslookup user | stats count by user city state department
This will produce results as shown in the following screenshot:
Lookup tables have other features, including wildcard lookups, CIDR lookups, and temporal lookups. We will use those features in later chapters.