Sometimes, information that would be useful for reporting and searching is not located in the logs themselves, but is available elsewhere. Lookups allow us to enrich data, and even search against the fields in the lookup as if they were part of the original events.
The source of data for a lookup can be either a Comma Separated Values (CSV) file or a script. We will cover the most common use of a CSV lookup in the next section. We will cover scripted lookups in Chapter 12, Extending Splunk.
There are three steps for fully defining a lookup: creating the file, defining the lookup definition, and optionally wiring the lookup to run automatically.
A lookup table file is simply a CSV file. The ...