What Are Lookups?

Lookups enrich your search results by adding fields from external data sources. The most common type is a CSV lookup — a simple CSV file uploaded to Splunk.

For example, you might have a CSV that maps HTTP status codes to human-readable descriptions. A lookup lets you add a "status_description" field to every event automatically.

Other lookup types include KV Store lookups (stored in Splunk's internal database), external lookups (scripts), and geospatial lookups (for map visualizations).

index=web_logs | lookup http_status_codes status OUTPUT description