Uploading lookup table csv file

  1. Under settings in the top right part of the menu and select Lookups

  2. Select lookup table files

  3. there is a green button named New Lookup Table, File click it

  1. Fill in the data and browse for the file needed

    1. Destination app : search

    2. upload a lookup file: must be a CSV file

    3. Destination filename: name it the same as your file

    4. click save

  1. Go to search and type

| inputlookup <filename or what you put in Destination filename>

You should see you data

  1. To search for matching data you can query:

*| lookup ip.csv "IP Address" as d_ip OUTPUT "IP Address" as ip | eval Ip=replace(srcIp, ":\d+$", "") | search Ip=* | stats count by Ip

PreviousTurning on File Folder AuditingNextExport Splunk results to CSV file

Last updated