Scribd Logo
Upload

Welcome to Scribd!

  • Splunk Fundamentals 1 Lab Exercises: Lab Module 12 - Creating Lookups

    Uploaded by

    jaaaaaheue
    117 views7 pages

    Original Title

    SplunkFundamentals1_module12.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    117 views7 pages

    Splunk Fundamentals 1 Lab Exercises: Lab Module 12 - Creating Lookups

    Uploaded by

    jaaaaaheue

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 7

    Splunk Fundamentals 1 Lab Exercises

    Lab typographical conventions:


    [sourcetype=db_audit] OR [cs_mime_type] indicates either a source type or the name of a field.

    NOTE: Lab work will be done on your personal computer or virtual machine, no lab environment is
    provided. We suggest you DO NOT do the lab work on your production environment.

    The lab instructions refer to these source types by the types of data they represent:
    Type Sourcetype Fields of interest
    Web Application access_combined_wcookie action, bytes, categoryId, clientip,
    itemId, JSESSIONID, productId,
    referer, referer_domain, status,
    useragent, file

    Database db_audit Command, Duration, Type

    Web server linux_secure COMMAND, PWD, pid, process

    Lab Module 12 – Creating Lookups

    NOTE: This lab document has two sections. The first section includes the instructions without answers.
    The second section includes instructions with the expected search string (answer) in red.
    Description
    In this lab exercise, you will create a new automatic lookup that provides additional information for Buttercup
    Games products.

    Scenario: The web application data does not contain name and price information for the products being
    sold. Users of your reports would like to see product names used in your reports, not just product
    Ids.

    Task 1: Download and examine the lookup file.

    Open a new browser window and direct it to http://splk.it/productdata


    The file products.zip will be downloaded to your system.
    Use an archive tool to unarchive the file.
    Once unarchived, you will see a file named products.csv.
    Return to the browser window for your instance of Splunk Web or open a new one.
    Navigate to the Search view. (If you are in the Home app, click Search & Reporting from the column on
    the left side of the screen. You can also access the Search view by clicking the Search menu option on
    the bar at the top of the screen.)
    Task 2: Add a lookup file and create a lookup definition.

    Navigate to: Settings > Lookups > Lookup table files.


    Click New Lookup Table File.
    © 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 1
    Save the lookup table file with these values:
    • Destination app: search
    • File: products.csv file
    • Destination filename: products.csv
    Navigate to Settings > Lookups > Lookup definitions.
    Make sure Search & Reporting is selected for App context and Click New Lookup Definition.
    Save the lookup table file with these values:
    • Destination app: search
    • Name: products_lookup
    • Type: File-based
    • Lookup file: products.csv
    Return to the Search view.
    Use inputlookup command to verify the lookup definition was created correctly.
    Example Results:

    Task 3: Use the lookup in a search.

    NOTE: For this course, you will be searching across all time using the main index. This is NOT a best
    practice in a production environment, but needed for these labs due to the nature of the limited
    dataset.

    Search the web application data for all events where a user purchased a product successfully.
    Use the lookup command and reference the lookup table you just created. Match the productId in
    lookup table to the productId field in the event data. Use the OUTPUT function to output the
    product_name lookup table data to a ProductName field.
    Notice that there is now a ProductName field in the fields list.
    Example:

    Change the search to use a stats count function to count events by ProductName.

    Example Results:

    © 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 2


    Task 4: Create an automatic lookup definition.

    Navigate to Settings > Lookups > Automatic lookups


    Save the automatic lookup with these values:
    • Destination app: search
    • Name: products_auto_lookup
    • Lookup table: products_lookup
    • Apply to: sourcetype
    • named: access_combined_wcookie
    • Lookup input fields: productId = productId
    • Lookup output fields: product_name = ProductName
    price = Price
    Example:

    Task 5: Verify your automatic lookup is working.

    Return to the Search view.


    Search the web application data for all events where a user purchased a product successfully. Use the
    stats sum function to sum the Price field by ProductName. Name the resulting field Revenue.
    Use the sort command to find the product that has generated the largest revenue. Take note of the
    ProductName as you might be asked to recall it in the module quiz.
    Save the report as a dashboard panel on your Sales Dashboard.

    © 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 3


    Splunk Fundamentals 1 Lab Exercises
    Lab typographical conventions:
    [sourcetype=db_audit] OR [cs_mime_type] indicates either a source type or the name of a field.

    NOTE: Lab work will be done on your personal computer or virtual machine, no lab environment is
    provided. We suggest you DO NOT do the lab work on your production environment.

    The lab instructions refer to these source types by the types of data they represent:
    Type Sourcetype Fields of interest
    Web Application access_combined_wcookie action, bytes, categoryId, clientip,
    itemId, JSESSIONID, productId,
    referer, referer_domain, status,
    useragent, file

    Database db_audit Command, Duration, Type

    Web server linux_secure COMMAND, PWD, pid, process

    Lab Module 12 – Creating Lookups with Solutions

    NOTE: This lab document has two sections. The first section includes the instructions without answers.
    The second section includes instructions with the expected search string (answer) in red.
    Description
    In this lab exercise, you will create a new automatic lookup that provides additional information for Buttercup
    Games products.

    Scenario: The web application data does not contain name and price information for the products being
    sold. Users of your reports would like to see product names used in your reports, not just product
    Ids.

    Task 1: Download and examine the lookup file.

    Open a new browser window and direct it to http://splk.it/productdata


    The file products.zip will be downloaded to your system.
    Use an archive tool to unarchive the file.
    Once unarchived, you will see a file named products.csv.
    Return to the browser window for your instance of Splunk Web or open a new one.
    Navigate to the Search view. (If you are in the Home app, click Search & Reporting from the column on
    the left side of the screen. You can also access the Search view by clicking the Search menu option on
    the bar at the top of the screen.)
    Task 2: Add a lookup file and create a lookup definition.

    Navigate to: Settings > Lookups > Lookup table files.


    Click New Lookup Table File.
    © 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 1
    Save the lookup table file with these values:
    • Destination app: search
    • File: products.csv file
    • Destination filename: products.csv
    Navigate to Settings > Lookups > Lookup definitions.
    Make sure Search & Reporting is selected for App context and Click New Lookup Definition.
    Save the lookup table file with these values:
    • Destination app: search
    • Name: products_lookup
    • Type: File-based
    • Lookup file: products.csv
    Return to the Search view.
    Use inputlookup command to verify the lookup definition was created correctly.
    (| inputlookup products_lookup)
    Example Results:

    Task 3: Use the lookup in a search.

    NOTE: For this course, you will be searching across all time using the main index. This is NOT a best
    practice in a production environment, but needed for these labs due to the nature of the limited
    dataset.

    Search the web application data for all events where a user purchased a product successfully.
    (index=main sourcetype=access_combined_wcookie status=200 file=success.do)
    Use the lookup command and reference the lookup table you just created. Match the productId in
    lookup table to the productId field in the event data. Use the OUTPUT function to output the
    product_name lookup table data to a ProductName field.
    (index=main sourcetype=access_combined_wcookie status=200 file=success.do | lookup products_lookup
    productId as productId OUTPUT product_name as ProductName)
    Notice that there is now a ProductName field in the fields list.
    Example:

    Change the search to use a stats count function to count events by ProductName.

    © 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 2


    (index=main sourcetype=access_combined_wcookie status=200 file=success.do | lookup products_lookup
    productId as productId OUTPUT product_name as ProductName | stats count by ProductName)
    Example Results:

    Task 4: Create an automatic lookup definition.

    Navigate to Settings > Lookups > Automatic lookups


    Save the automatic lookup with these values:
    • Destination app: search
    • Name: products_auto_lookup
    • Lookup table: products_lookup
    • Apply to: sourcetype
    • named: access_combined_wcookie
    • Lookup input fields: productId = productId
    • Lookup output fields: product_name = ProductName
    price = Price
    Example:

    Task 5: Verify your automatic lookup is working.

    Return to the Search view.


    Search the web application data for all events where a user purchased a product successfully. Use the
    stats sum function to sum the Price field by ProductName. Name the resulting field Revenue.
    (index=main sourcetype="access_combined_wcookie" file=success.do status=200 | stats sum(Price) as
    Revenue by ProductName)

    © 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 3


    Use the sort command to find the product that has generated the largest revenue. Take note of the
    ProductName as you might be asked to recall it in the module quiz.
    (index=main sourcetype="access_combined_wcookie" file=success.do status=200 | stats sum(Price) as
    Revenue by ProductName | sort -Revenue)
    (Dream Crusher)
    Save the report as a dashboard panel on your Sales Dashboard.

    © 2018 Splunk Inc. All rights reserved. Splunk Fundamentals 1 Page 4

    You might also like