Sometimes you want to include additional static values in your events, for example, add descriptions for http codes 200, 401, 404, 500, you can use splunk lookups.
Before you can use a lookup, you need to first create a lookup file. An example lookup file named http200s.csv looks like the following:
code, msg, desc
200, ok, Standard GET response
201, created, The request has been fulfilled
202, accepted, The request has been accepted for processing
204, no content, server not returning any content
You upload this file to splunk by selecting
Settings -> Lookups -> Lookup table files
Once the file is uploaded, you can view the content in Search bar with the following command:
| inputlookup http200s.csv
The next step is to create a lookup definition with the uploaded file http200s.csv by selecting:
Settings -> Lookups -> Lookup definitions
Here you need to Name the lookup definition, let's name it http200s.
With the lookup definition http200s created, now you can use the lookup command in your search to use lookup fields.
index=f5serverlog sourcetype=petstore | lookup http200s code OUTPUTNEW msg desc
Here http200s is the lookup definition, "code" is field used to lookup the matching record in the lookup definition, OUTPUT/OUTPUTNEW specify which fields in the lookup definition are included in the search result. OUTPUT replaces the existing field "code" with fields "msg" and "desc", OUTPUTNEW keeps the existing field "code", also adds extra fields "msg" and "desc".