Splunk 简明教程
Splunk - Lookups
在搜索查询的结果中,我们有时会得到可能无法清楚表示该字段含义的值。例如,我们可能会得到一个字段,它将产品 ID 的值列为一个数字结果。这些数字不会让我们了解它是什么类型的产品。但如果我们将产品名称与产品 ID 一起列出,这将为我们提供一个很好的报告,让我们了解搜索结果的含义。
In the result of a search query, we sometimes get values which may not clearly convey the meaning of the field. For example, we may get a field which lists the value of product id as a numeric result. These numbers will not give us any idea of what kind of product it is. But if we list the product name along with the product id, that gives us a good report where we understand the meaning of the search result.
使用两个数据集中的相同值,将一个字段的值链接到另一个数据集中同名字段的过程称为查找过程。好处是,我们从两个不同的数据集中检索相关值。
Such linking of values of one field to a field with same name in another dataset using equal values from both the data sets is called a lookup process. The advantage is, we retrieve the related values from two different data sets.
Steps to Create and Use Lookup File
为了成功地在数据集中创建一个查找字段,我们需要遵循以下步骤 −
In order to successfully create a lookup field in a dataset, we need to follow the below steps −
Create Lookup File
我们考虑主机为 web_application 的数据集,并查看 productid 字段。此字段只是一个数字,但我们希望产品名称反映在我们的查询结果集中。我们使用以下详细信息创建一个查找文件。这里,我们将第一个字段的名称保持为 productid ,它与我们要从数据集中使用的字段相同。
We consider the dataset with host as web_application, and look at the productid field. This field is just a number, but we want product names to be reflected in our query result set. We create a lookup file with the following details. Here, we have kept the name of the first field as productid which is same as the field we are going to use from the dataset.
productId,productdescription
WC-SH-G04,Tablets
DB-SG-G01,PCs
DC-SG-G02,MobilePhones
SC-MG-G10,Wearables
WSC-MG-G10,Usb Light
GT-SC-G01,Battery
SF-BVS-G01,Hard DriveAdd the Lookup File
接下来,我们使用如下所示的“设置”屏幕,将查找文件添加到 Splunk 环境 −
Next, we add the lookup file to Splunk environment by using the Settings screens as shown below −
选择“查找”后,我们会看到一个屏幕用于创建和配置查找。我们选择如下图所示的查找表文件。
After selecting the Lookups, we are presented with a screen to create and configure lookup. We select lookup table files as shown below.
我们浏览并选择文件 productidvals.csv 作为要上传的查找文件,并选择搜索作为我们的目标应用程序。我们还会保留相同的文件名作为目标。
We browse to select the file productidvals.csv as our lookup file to be uploaded and select search as our destination app. We also keep the same destination file name.
单击“保存”按钮后,该文件将作为查找文件保存到 Splunk 存储库。
On clicking the save button, the file gets saved to the Splunk repository as a lookup file.
Create Lookup Definitions
为了使搜索查询能够从我们刚刚上传的查找文件中查找值,我们需要创建一个查找定义。我们再次转到 *设置 → 查找 → 查找定义 → 添加新建 * 来执行此操作。
For a search query to be able to lookup values from the Lookup file we just uploaded above, we need to create a lookup definition. We do this by again going to *Settings → Lookups → Lookup Definition → Add New *.
接下来,我们进入 设置 → 查找 → 查找定义,检查我们添加的查找定义是否可用。
Next, we check the availability of the lookup definition we added by going to *Settings → Lookups → Lookup Definition *.
Selecting Lookup Field
接下来,我们需要为搜索查询选择查找字段。这个操作进入 新搜索 → 所有字段 *. Then check the box for *productid 来完成,它还会自动从查找文件中添加 productdescription 字段。
Next, we need to select the lookup field for our search query. This is done my going to * New search → All Fields . Then check the box for *productid which will automatically add the productdescription field from the lookup file also.
