Lookups are a great way to enrich your Splunk searches. They add meaning to your data and enable you to create rich and informative dashboards and reports.

A common use case for lookups is to bring reference data into Splunk. This is covered in the free Splunk Fundamentals 1 course. Lookup tables work as long as there is a matching field in the lookup and your data. This enables you to cross reference your data with any information you like, such as names, known risk levels, or even paths to images hosted in a static directory.

A screenshot showing a Splunk dashboard titled 'Open Banking TPP Profile'. The dashboard has several dropdown options, a grey banner area with information on a selected TPP, and some charts and tables showing call volumes and errors per API.
A screenshot from our Open Banking Insights app, which uses a lookup to populate the banner at the top of the page

Using the Splunk outputlookup command to create lookups

You don’t have to manually create a lookup table. Using the outputlookup command, you can save the results of a Splunk search to a new lookup file. This lookup is used as normal, but without needing to manually create and upload a CSV or KV store.

You can even use this command to append data to an existing lookup table. You should be careful with this approach – it can result in a loss of data if the columns do not match up exactly.

Editing an existing lookup

There is no built-in way to edit a lookup file in Splunk. In order to make changes you must manually edit the file and re-upload it to Splunk. The outputlookup command can be used to add new rows, but this comes with some risks and cannot be used to remove data. A better solution is the Lookup Editor app, available on Splunkbase, which is very intuitive and easy to use.

View information about a lookup

You might need to keep track of when a lookup was last updated. The Splunk REST API allows you to see information on a lookup, such as when it was last updated. We had a recent customer requirement to present results which occurred after a specific lookup file had last been updated. We solved this by using the following rest search alongside a sub-search to filter to the relevant results:

|rest splunk_server=local /services/data/lookup-table-files/local_authority_routing.csv
|table _time title updated disabled eai:data eai:acl.perms* eai:acl.owner eai:acl.app

For 2021 we’ve committed to posting a new Splunk tip every week!

If you want to keep up to date on tips like the one above then sign up below:

Subscribe to our newsletter to receive regular updates from iDelta, including news and updates, information on upcoming events, and Splunk tips and tricks from our team of experts. You can also find us on Twitter and LinkedIn.


* indicates required
Posted by:Becky Nielsen

Becky is a certified Splunk Admin, who has been working for iDelta since graduating from CodeClan's Professional Software Development course in 2019. Previously an archivist at several institutions around the UK, she holds an MSc in Information Management and Preservation from the University of Glasgow.