The Factory • Room 1

Lookup Commands

Lookups enrich your raw events by referencing a static table (often a CSV).

`inputlookup` reads the literal contents of a lookup table and returns it as search results.

`lookup` enriches existing search results by matching a field in your events against a field in the lookup table.

Reading a lookup table

| inputlookup asset_list.csv

Enriching with lookup

index=network | lookup asset_list.csv ip_address AS src_ip OUTPUT host_name

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Write an inputlookup command to view the contents of "users.csv", then filter the results where dept="HR".

Splunk Search Bar