Lookup attributes

Lets discuss lookup attributes now. Splunk can use the existing lookup definitions to match the values of an attribute that you select to values of a field in the specified lookup table. It then returns the corresponding field/value combinations and applies them to your object as (lookup) attributes.

Once again, if you click Add Attribute and select Lookup, Splunk opens the Add Attributes with a Lookup page (shown in the following screenshot) where you can select from your currently defined lookup definitions. For this example, we select dnslookup:

The dnslookup converts clienthost to clientip. We can configure a lookup attribute using this lookup to add that result to the processing errors objects.

Under Input, select host for the Field in Lookup and Attribute. Field in Lookup is the field to be used in the lookup table. Attribute is the name of the field used in the event data. In our simple example, Splunk will match the field clienthost with the field host.

Under Output, I have selected host as the output field to be matched with the lookup. You can provide a Display Name for the selected field. This display name is the name used for the field in your events. I simply typed AviationLookupName for my display name (see the following screenshot):

Again, Splunk allows you to click Preview to review the fields that you want to add. You can use the tabs to view the Events in a table, or view the values of each of the fields that you selected in Output. For example, the following screenshot shows the values of AviationLookupName:

Finally, we can click Save.

Children

We have just added a root (or parent) object to our data model. The next step is to add some children. Although a child object inherits all the constraints and attributes from its parent, when you create a child, you will give it additional constraints with the intention of further filtering the dataset that the object represents.

To add a child object to our data model, click Add Object and select Child:

Splunk then opens the editor window, Add Child Object (shown in the following screenshot):

On this page, follow these steps:

• Enter the Object Name: Dimensional Errors
• Leave the Object ID: Dimensional_Errors
• Under Inherit From, select Processing Errors. This means that this child object will inherit all the attributes from the parent object, Processing Errors
• Add the Additional Constraints: dimension, which means that the data models search for the events in this object; when expanded, it will look something like this: sourcetype=tm1* error dimension
• Finally, Click Save to save your changes
  

Following the above outlined steps, you can add additional objects, each continuing to filter the results until you have the results that you need.

At this point, the next step in implementing a Splunk data model is to use it. So let's continue and determine how.