Get Started

Splunk lookup Command: Enriching Events with External Data

Splunk SPL Commands
R
Rhombic LLC
Splunk Consulting & Cyber Security · 2 min read

What Is the lookup Command?

The lookup command enriches search results by matching event fields against an external data source — typically a CSV file, KV Store collection, or external database. It adds contextual fields to your events, transforming raw log data into actionable intelligence.

Core Syntax

| lookup <lookup_name> <match_field> [AS <event_field>] OUTPUT <new_fields>

Types of Lookups

Type Source Best For
CSV Lookup Static CSV file Asset lists, department maps, reference tables
KV Store Splunk’s internal NoSQL store Dynamic data, large datasets, frequent updates
External Lookup Script or API DNS resolution, GeoIP, threat intel feeds
Geospatial KMZ/KML files Geographic mapping

Security Operations Examples

1. Asset Context Enrichment

index=security sourcetype=WinEventLog:Security EventCode=4625
| lookup asset_inventory ip AS src_ip OUTPUT hostname asset_owner asset_criticality business_unit
| stats count BY src_ip hostname asset_owner asset_criticality
| sort - count

2. Threat Intelligence Correlation

index=network sourcetype=firewall action=allowed
| lookup threat_intel_ioc ip AS dest_ip OUTPUT threat_type threat_source confidence
| where isnotnull(threat_type)
| table _time src_ip dest_ip dest_port threat_type confidence threat_source

3. GeoIP Location Mapping

index=web sourcetype=access_combined
| iplocation clientip
| lookup geo_risk_zones Country OUTPUT risk_level
| where risk_level="high"
| stats count BY Country City risk_level

4. User Department Mapping for Compliance Reporting

index=security sourcetype=WinEventLog:Security EventCode=4624
| lookup ad_users sAMAccountName AS Account_Name OUTPUT department title manager
| stats dc(ComputerName) AS systems_accessed BY Account_Name department title
| where systems_accessed > 20

Creating a CSV Lookup

To create a CSV-based lookup:

  1. Upload your CSV to Splunk via Settings → Lookups → Lookup table files
  2. Define the lookup via Settings → Lookups → Lookup definitions
  3. Optionally make it automatic via Settings → Lookups → Automatic lookups

Example CSV Structure (asset_inventory.csv)

ip,hostname,asset_owner,asset_criticality,business_unit
10.1.1.50,DC01,IT Security,Critical,Infrastructure
10.1.2.100,WEB01,DevOps,High,Engineering
10.1.3.25,LAPTOP-042,Jane Smith,Medium,Finance

Automatic Lookups

Configure a lookup to run automatically on every search for a given sourcetype — no | lookup command needed in your searches:

# In transforms.conf
[asset_inventory]
filename = asset_inventory.csv

# In props.conf
[WinEventLog:Security]
LOOKUP-asset_context = asset_inventory ip AS src_ip OUTPUT hostname asset_owner

Best Practices

  • Use OUTPUT to specify needed fields only — Don’t pull every column from the lookup; specify exactly what you need.
  • Use OUTPUTNEW to avoid overwritingOUTPUTNEW only adds a field if it doesn’t already exist in the event.
  • Keep CSV lookups under 100MB — For larger datasets, migrate to KV Store.
  • Schedule lookup updates — For threat intel feeds, automate CSV refreshes via scripted inputs or the Threat Intelligence Framework.
  • Use inputlookup for direct table access| inputlookup asset_inventory.csv | search asset_criticality="Critical".

Next in the series: The transaction command — grouping related events into sessions.

Next in the Rhombic SPL Series → Splunk transaction Command

Tagged , , , , ,