Lets discuss lookup attributes now. Splunk can use the existing lookup definitions to match the values of an attribute that you select to values of a field in the specified lookup table. It then returns the corresponding field/value combinations and applies them to your object as (lookup) attributes.

Once again, if you click Add Attribute and select Lookup, Splunk opens the Add Attributes with a Lookup page (shown in the following screenshot) where you can select from your currently defined lookup definitions. For this example, we select dnslookup:

The dnslookup converts clienthost to clientip. We can configure a lookup attribute ...