Let's discuss lookup attributes now. Splunk can use the existing lookup definitions to match the values of an attribute that you select to values of a field in the specified lookup table. It then returns the corresponding field/value combinations and applies them to your object as (lookup) attributes.
Once again, if you click on Add Field
and select Lookup
, Splunk opens the Add Fields with a Lookup
page (shown in the following screenshot) where you can select from your currently defined lookup definitions. For this example, we select dnslookup
:
The dnslookup
converts clienthost
to clientip
. We can configure a lookup attribute using this lookup to add that result to the processing errors objects.
Under Input
, select clienthost
for Field in Lookup
and Field in Dataset
. Field in Lookup
is the field to be used in the lookup table. Field in Dataset
is the name of the field used in the event data. In our simple example, Splunk will match the field clienthost
with the field host
...