Lookup Command in Splunk Explained
CSV type lookup are file-based lookups that match field values from your events to field values in the static table represented by a CSV file. They output corresponding field values from the table to your events. They are also referred to as static lookups. CSV lookups are best for small sets of data. The general workflow for creating a CSV lookup in Splunk Web is to upload a file, share the lookup table file, and then create the lookup definition from the lookup table file. CSV inline lookup table files, and inline lookup definitions that use CSV files, are both dataset types. CSV lookups can be invoked by using the following search commands: lookup, inputlookup, and outputlookup. KV Store Lookup: KV Store lookup, Matches fields in your events to fields in a KV store collection and outputs corresponding fields in that collection to your events. Best practice is to use a KV Store lookup when you have a large lookup table or a table that is updated often. KV Store lookups can be invoked through REST endpoints or by using the following search commands: lookup, inputlookup, and outputlookup.
Therefore, depending on your use cases choose your lookup type Below are examples:
- The KV Store is designed for large collections, and is the easiest way to develop an application that uses key-value data.
- The KV Store is a good solution when data requires user interaction using the REST interface and when you have a frequently-changing data set.
- A CSV-based lookup is a good solution when the data set is small or changes infrequently, and when distributed search is required.
Create a CSV lookup in splunk web https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/UsefieldlookupstoaddinformationtoyoureventsCreate a KV Store lookup https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ConfigureKVstorelookupsReferences: