0:00:01.560,0:00:03.720
Hi, Travis with Splunk here.

0:00:03.720,0:00:06.180
In this video, I want to go over look up

0:00:06.180,0:00:09.059
tables and give you an example of how I

0:00:09.059,0:00:11.460
use lookup tables.

0:00:11.460,0:00:14.880
I've pulled up a search here that shows

0:00:14.880,0:00:16.800
the you know activity of the different

0:00:16.800,0:00:19.440
devices on my home network.

0:00:19.440,0:00:22.260
I can see there is a spike in data and

0:00:22.260,0:00:24.900
instead of me having to remember you

0:00:24.900,0:00:26.580
know the IP address

0:00:26.580,0:00:29.580
of that device. I can have a lookup table

0:00:29.580,0:00:32.579
translate that IP to a host name so that

0:00:32.579,0:00:35.579
when I hover over this Spike of data

0:00:35.579,0:00:37.680
you know I get a name instead of an IP

0:00:37.680,0:00:38.700
address,

0:00:38.700,0:00:40.559
and this is very helpful because I don't

0:00:40.559,0:00:42.300
want to remember all the IP addresses

0:00:42.300,0:00:46.500
for all the 30 plus devices that are you

0:00:46.500,0:00:48.120
know in my house or in my home

0:00:48.120,0:00:50.600
environment.

0:00:50.640,0:00:52.920
So if you're new to Splunk or you're

0:00:52.920,0:00:54.480
sitting here going look up tables. Why

0:00:54.480,0:00:55.800
are they important? What are you talking

0:00:55.800,0:00:58.920
about, Travis? Let's go to your favorite

0:00:58.920,0:01:01.800
search engine, whatever you want to use,

0:01:01.800,0:01:05.939
and do a search on Splunk lookup tables;

0:01:05.939,0:01:07.939
give you ways to find more information

0:01:07.939,0:01:11.100
and use our documentation. I find. you

0:01:11.100,0:01:12.900
know, doing a search in your favorite

0:01:12.900,0:01:14.780
search engine

0:01:14.780,0:01:17.280
is the easiest way to find stuff in our

0:01:17.280,0:01:20.280
documentation. So the first result is a

0:01:20.280,0:01:22.799
lookup command,

0:01:22.799,0:01:24.720
I am using that lookup command in

0:01:24.720,0:01:26.460
this search,

0:01:26.460,0:01:28.259
and then if we go back here the second

0:01:28.259,0:01:30.659
one is about lookups, and then there's

0:01:30.659,0:01:33.500
other, you know, lookup command examples

0:01:33.500,0:01:36.000
there is you know how to use lookup

0:01:36.000,0:01:38.880
table the, you know, Splunk Community.

0:01:38.880,0:01:41.400
Splunk answers, but I'm going to go into

0:01:41.400,0:01:43.939
this about lookups, Splunk documentation

0:01:43.939,0:01:46.439
and show you more information about the

0:01:46.439,0:01:47.579
lookup table

0:01:47.579,0:01:50.340
here, you know what is a lookup way to

0:01:50.340,0:01:52.860
enrich your data that you are collecting

0:01:52.860,0:01:56.060
you know the four types of lookup CSV

0:01:56.060,0:02:00.180
external KV store and even Geo,

0:02:00.180,0:02:02.520
and then how you know more information

0:02:02.520,0:02:04.560
about each one of those four types of

0:02:04.560,0:02:08.160
lookup tables. I'm going to focus on CSV

0:02:08.160,0:02:09.539
today,

0:02:09.539,0:02:13.200
and here we have a link to you know how

0:02:13.200,0:02:15.660
can I create and bring a lookup table

0:02:15.660,0:02:18.599
into Splunk using the the web GUI or if

0:02:18.599,0:02:19.680
you like,

0:02:19.680,0:02:21.420
you know, using the configuration file

0:02:21.420,0:02:23.879
CLI you know there's a link for that, but

0:02:23.879,0:02:26.700
for today, we are going to go into

0:02:26.700,0:02:30.420
this link here which defines a CSV

0:02:30.420,0:02:32.520
lookup gives you more information about

0:02:32.520,0:02:35.760
that CSV file, and then how to upload

0:02:35.760,0:02:38.459
that file. And if you need an example of

0:02:38.459,0:02:41.760
a lookup table, you know, we have see look

0:02:41.760,0:02:43.920
up for an example you know this lookup

0:02:43.920,0:02:45.959
is a hyperlink,

0:02:45.959,0:02:48.780
and we can drill down even further and

0:02:48.780,0:02:51.300
see examples of a lookup table.

0:02:51.300,0:02:54.180
An example that we provide is a HTTP

0:02:54.180,0:02:57.800
status code I say we Splunk,

0:02:57.800,0:02:59.940
and you can go ahead and download that

0:02:59.940,0:03:02.160
so you can see it or just review the

0:03:02.160,0:03:05.459
sample that Splunk has provided. Where it

0:03:05.459,0:03:07.800
shows the header field, you know, status

0:03:07.800,0:03:10.440
comma status description comma status

0:03:10.440,0:03:11.519
type

0:03:11.519,0:03:14.280
and then values that are associated with

0:03:14.280,0:03:16.500
the header field and it's all comma

0:03:16.500,0:03:18.959
separated and no spaces.

0:03:18.959,0:03:21.360
So you can see like 200 okay. And

0:03:21.360,0:03:24.239
successful and you know three different

0:03:24.239,0:03:26.159
header fields,

0:03:26.159,0:03:28.560
and then the steps two

0:03:28.560,0:03:30.720
go ahead and

0:03:30.720,0:03:33.780
uh add those lookup tables into your

0:03:33.780,0:03:36.379
Splunk web.

0:03:36.540,0:03:40.140
So let's take one step back here,

0:03:40.140,0:03:42.060
you know, in here, you know more

0:03:42.060,0:03:44.220
information about lookup tables and how

0:03:44.220,0:03:45.900
to get that in there.

0:03:45.900,0:03:48.540
So just take some time and go through

0:03:48.540,0:03:49.799
all of this,

0:03:49.799,0:03:51.420
you know, I could probably spend an hour

0:03:51.420,0:03:53.640
on lookup tables,

0:03:53.640,0:03:56.040
but what I'm going to do is also you

0:03:56.040,0:03:57.360
know scroll down here because there's

0:03:57.360,0:03:59.220
something else I want to show. This is

0:03:59.220,0:04:01.980
back to the about lookups and if I

0:04:01.980,0:04:03.599
scroll down you know more lookup table

0:04:03.599,0:04:05.700
definition automatic lookups. This is

0:04:05.700,0:04:08.760
great. So instead of having to invoke

0:04:08.760,0:04:11.040
that lookup command and during the

0:04:11.040,0:04:13.260
search, I can go ahead and set up an

0:04:13.260,0:04:14.879
automatic lookup

0:04:14.879,0:04:18.120
that will be invoked at search time and

0:04:18.120,0:04:19.799
bring that information in that you would

0:04:19.799,0:04:21.979
need.

0:04:22.019,0:04:24.900
So last thing I'm going to talk about on

0:04:24.900,0:04:28.560
this page is commands and lookups. There

0:04:28.560,0:04:31.440
is three commands that are related to

0:04:31.440,0:04:33.660
lookup tables.

0:04:33.660,0:04:35.639
I've already shown and

0:04:35.639,0:04:38.280
look up, but there's also input lookup

0:04:38.280,0:04:40.620
and output lookup.

0:04:40.620,0:04:43.139
So you can manually create your lookup

0:04:43.139,0:04:46.560
file or we can actually use the output

0:04:46.560,0:04:49.440
lookup in a Splunk search to create a

0:04:49.440,0:04:51.300
lookup table

0:04:51.300,0:04:54.360
to get that information into Splunk. So

0:04:54.360,0:04:56.040
you can use it with other Splunk

0:04:56.040,0:04:58.500
searches, and I will go over and we're

0:04:58.500,0:05:01.500
going to build that out today.

0:05:01.500,0:05:03.419
So let's back up

0:05:03.419,0:05:05.340
here's that where I'm using the lookup

0:05:05.340,0:05:06.540
command there

0:05:06.540,0:05:10.500
with this lookup table,

0:05:10.500,0:05:12.660
we have a couple different ways of be

0:05:12.660,0:05:15.720
able to look at what data is in that

0:05:15.720,0:05:18.600
lookup table at CSV file and that's that

0:05:18.600,0:05:22.080
input lookup command is one way,

0:05:22.080,0:05:24.600
and then there's an app that you can

0:05:24.600,0:05:26.699
download. So let me show off the input

0:05:26.699,0:05:29.340
lookup command real quick. So input look

0:05:29.340,0:05:31.320
up and you can see I've already used

0:05:31.320,0:05:33.419
this command before,

0:05:33.419,0:05:35.759
and before I go any further,

0:05:35.759,0:05:38.759
if you like how you know I get you know

0:05:38.759,0:05:40.620
I'll click input lookup, if you like how

0:05:40.620,0:05:41.940
I'm getting a lot of information over

0:05:41.940,0:05:43.680
here and if you're not getting this much

0:05:43.680,0:05:46.199
information like when I click more

0:05:46.199,0:05:48.600
you'll go up to administrator or you

0:05:48.600,0:05:50.280
know whoever you're logged in as your

0:05:50.280,0:05:53.759
user account name. Go to preferences

0:05:53.759,0:05:57.479
and then SPL editor and you can change

0:05:57.479,0:05:59.400
this on your account for your preference.

0:05:59.400,0:06:01.979
It's where it you know Splunk by default

0:06:01.979,0:06:04.080
will have it on Compact and you can

0:06:04.080,0:06:05.520
select full,

0:06:05.520,0:06:08.280
and then uh if you've ever noticed when

0:06:08.280,0:06:11.160
I hit the pipe,

0:06:11.160,0:06:13.740
it drops down a new line. That's this

0:06:13.740,0:06:17.580
search auto format. So I select it. So it

0:06:17.580,0:06:19.259
automatically drops a new line every

0:06:19.259,0:06:21.419
time, and you'll probably see that here

0:06:21.419,0:06:23.580
in a minute. So I'm going to go ahead and

0:06:23.580,0:06:27.120
hit cancel. So I have input lookup and

0:06:27.120,0:06:29.520
what was that Hall, yep.

0:06:29.520,0:06:31.440
I've already got it there. So I'll just

0:06:31.440,0:06:33.900
click on that and click run.

0:06:33.900,0:06:37.500
So all this command does is bring the

0:06:37.500,0:06:40.620
data into a Splunk search so I can view

0:06:40.620,0:06:41.520
it.

0:06:41.520,0:06:44.520
This is a CSV file that I have uploaded

0:06:44.520,0:06:47.699
I have edited and made adjustments to it,

0:06:47.699,0:06:50.280
and this is a CSV file that is being

0:06:50.280,0:06:52.860
used in this search to where my

0:06:52.860,0:06:54.900
destination IP will go down here if it

0:06:54.900,0:06:58.620
makes a match. It outputs me the hostname,

0:06:58.620,0:07:01.680
now the other way that we can edit this

0:07:01.680,0:07:02.880
file

0:07:02.880,0:07:06.720
is an app, and do I have that up? Nope. So

0:07:06.720,0:07:08.580
we'll go here, apps,

0:07:08.580,0:07:10.860
and we're going to go to Splunk app for

0:07:10.860,0:07:13.639
lookup file,

0:07:13.800,0:07:15.780
and this is an app that I've downloaded

0:07:15.780,0:07:17.520
off of Splunk base.

0:07:17.520,0:07:21.180
If you've never, I'll back up or before I

0:07:21.180,0:07:22.139
go too much further if you've never

0:07:22.139,0:07:23.940
heard of Splunk base, this is, you know,

0:07:23.940,0:07:25.020
our

0:07:25.020,0:07:26.819
App Store,

0:07:26.819,0:07:29.880
and we can either you know go to

0:07:29.880,0:07:32.639
splunkbase.splunk.com,

0:07:32.639,0:07:37.560
and do a search in here for lookup

0:07:37.560,0:07:42.539
um file there. It is look up file editing

0:07:42.539,0:07:45.360
or just you know back at your favorite

0:07:45.360,0:07:49.080
search engine Splunk base lookup editor,

0:07:49.080,0:07:50.759
and you'll get links to the same

0:07:50.759,0:07:52.259
location.

0:07:52.259,0:07:55.380
I will, I will point out with the new

0:07:55.380,0:07:57.139
Splunk base. We are

0:07:57.139,0:08:00.180
Splunk is, you know, providing a new

0:08:00.180,0:08:02.720
Splunk base over the old one

0:08:02.720,0:08:06.300
sometimes. If I were to just put

0:08:06.300,0:08:10.259
look up, you may not see that information

0:08:10.259,0:08:12.180
you know that app down here and even if

0:08:12.180,0:08:13.560
I run a search,

0:08:13.560,0:08:16.680
you may not see it so make sure to put

0:08:16.680,0:08:19.080
in lookup file

0:08:19.080,0:08:22.020
if you go to the old Splunk base,

0:08:22.020,0:08:24.660
you know, if I type in look up there. It's

0:08:24.660,0:08:27.240
the first entry. So hopefully our product

0:08:27.240,0:08:29.340
team is working on or whoever's working

0:08:29.340,0:08:31.740
on the website is you know adjusting

0:08:31.740,0:08:33.120
that,

0:08:33.120,0:08:36.060
and then the last way that we could you

0:08:36.060,0:08:39.419
know bring in that lookup app is to go

0:08:39.419,0:08:40.740
to apps.

0:08:40.740,0:08:43.320
Find more apps,

0:08:43.320,0:08:48.260
and then the same thing here look up,

0:08:49.320,0:08:52.680
and if I type in, let's say edit.

0:08:52.680,0:08:54.300
There it is

0:08:54.300,0:08:55.920
probably any other I just didn't feel

0:08:55.920,0:08:58.140
like scrolling down but here, you know,

0:08:58.140,0:09:00.360
you can just install that way if your

0:09:00.360,0:09:03.899
Splunk environment is internet

0:09:03.899,0:09:05.339
capable,

0:09:05.339,0:09:07.320
I worked in an environment that that was

0:09:07.320,0:09:09.779
not the case.

0:09:09.779,0:09:12.360
So now let's talk about the output

0:09:12.360,0:09:16.019
lookup command, and how to use it

0:09:16.019,0:09:18.540
and I'm actually going to go back into

0:09:18.540,0:09:19.620
here.

0:09:19.620,0:09:21.560
I want to show

0:09:21.560,0:09:25.560
DHCP. So here you can see that lookup

0:09:25.560,0:09:29.459
this is that app for Splunk

0:09:29.459,0:09:32.839
for lookup file editing, I am filtering

0:09:32.839,0:09:35.279
all of my, you know, there is a lot more

0:09:35.279,0:09:38.339
I'll back up there is a lot of lookup

0:09:38.339,0:09:39.899
tables that are loaded in my environment.

0:09:39.899,0:09:41.580
I am using the Splunk Security

0:09:41.580,0:09:43.740
Essentials app. It's a free app that you

0:09:43.740,0:09:46.080
can also download from Splunk base,

0:09:46.080,0:09:48.120
you know, if you are in that security

0:09:48.120,0:09:50.160
business, please check it out. There's one

0:09:50.160,0:09:53.540
for compliance. There's one it

0:09:53.540,0:09:56.220
essentials. So we have a lot of good apps

0:09:56.220,0:09:57.959
out there to help you get going,

0:09:57.959,0:10:00.440
but here. I'm going to go

0:10:00.440,0:10:04.980
DHCP and you can see the the one CSV

0:10:04.980,0:10:06.959
that I have right now,

0:10:06.959,0:10:10.260
and what we're going to do here is a

0:10:10.260,0:10:12.000
base search that has given me the IP

0:10:12.000,0:10:14.640
address, but I would rather or I need the

0:10:14.640,0:10:16.920
host name off to here,

0:10:16.920,0:10:20.220
luckily for me. I have

0:10:20.220,0:10:23.700
another data source that I'm using open

0:10:23.700,0:10:26.339
sense in a DHCP server,

0:10:26.339,0:10:31.640
and if I will go ahead and run this.

0:10:32.640,0:10:35.160
It will give me the raw logs and In The

0:10:35.160,0:10:37.380
Raw logs, I have my IP address and it

0:10:37.380,0:10:40.980
also has host names in here,

0:10:40.980,0:10:42.959
and I can look at my interesting Fields

0:10:42.959,0:10:48.120
because I have the open sense ta

0:10:48.420,0:10:50.940
app that I downloaded, but helps me to

0:10:50.940,0:10:52.800
parse this data and you can see over

0:10:52.800,0:10:54.540
here in interesting Fields. I have client

0:10:54.540,0:10:57.839
IP Mac and name.

0:10:57.839,0:10:59.459
So now,

0:10:59.459,0:11:01.260
I want

0:11:01.260,0:11:04.560
to create a lookup table with these

0:11:04.560,0:11:07.339
three fields.

0:11:07.380,0:11:09.959
I'm going to hit the pipe. I'm going to

0:11:09.959,0:11:13.380
say stats count by

0:11:13.380,0:11:18.600
what was that clients underscore, name

0:11:18.600,0:11:20.480
a client

0:11:20.480,0:11:24.779
underscore IP and client underscore Mac

0:11:24.779,0:11:26.760
remember your field names are case

0:11:26.760,0:11:29.240
sensitive,

0:11:30.540,0:11:32.399
not the values but the field names

0:11:32.399,0:11:34.200
himself are.

0:11:34.200,0:11:36.060
And once this comes up, it should give me

0:11:36.060,0:11:38.760
it gives me four columns, and if I don't

0:11:38.760,0:11:41.160
want to count here in my lookup table.

0:11:41.160,0:11:44.399
I'm just going to say you know easiest

0:11:44.399,0:11:48.180
way Fields negative counts

0:11:48.180,0:11:50.820
and that will clean it up, and this is

0:11:50.820,0:11:53.519
the output that I would like to have.

0:11:53.519,0:11:58.200
So next, I'm going to invoke the output

0:11:58.200,0:12:01.500
lookup command. So let's click on that

0:12:01.500,0:12:03.779
and then I already have in my command

0:12:03.779,0:12:06.300
history because I practice this before I

0:12:06.300,0:12:07.440
record a video

0:12:07.440,0:12:11.399
output lookup DHCP test and if you know

0:12:11.399,0:12:12.899
when I'm here

0:12:12.899,0:12:14.399
in my

0:12:14.399,0:12:17.399
Splunk environment. It is not here yet. So

0:12:17.399,0:12:19.680
let's go ahead and click on that and as

0:12:19.680,0:12:21.180
soon as I run this,

0:12:21.180,0:12:23.640
and I give it a few seconds,

0:12:23.640,0:12:25.079
there we go.

0:12:25.079,0:12:28.200
You know I have an output.

0:12:28.200,0:12:31.740
It may not be a hundred percent but it's

0:12:31.740,0:12:34.079
a start. You don't have to build

0:12:34.079,0:12:35.880
everything from scratch.

0:12:35.880,0:12:37.860
So I can have this here and start

0:12:37.860,0:12:40.260
editing this

0:12:40.260,0:12:42.600
lookup table with the file lookup

0:12:42.600,0:12:45.120
editor. So I 100 recommend downloading

0:12:45.120,0:12:47.339
that app to look you know edit the

0:12:47.339,0:12:50.399
lookup tables because if you don't, you'd

0:12:50.399,0:12:52.620
have to be in the business of pulling

0:12:52.620,0:12:56.339
that look up table from your Splunk

0:12:56.339,0:12:59.339
index or search heads bring it down to

0:12:59.339,0:13:02.279
your computer edit it or log into the

0:13:02.279,0:13:04.980
box and edit it manually like that. So

0:13:04.980,0:13:07.079
the lookup editor is definitely one of

0:13:07.079,0:13:07.980
the

0:13:07.980,0:13:10.200
first apps that I install on a fresh

0:13:10.200,0:13:12.660
Splunk install, but here, you can see I

0:13:12.660,0:13:15.060
have you know tab a and tab a oh which

0:13:15.060,0:13:16.079
one are there two different Mac

0:13:16.079,0:13:19.079
addresses. Two different IPS, my kids both

0:13:19.079,0:13:21.360
have a tablet. So if I wanted to know

0:13:21.360,0:13:23.339
which tablet is which you know grab the

0:13:23.339,0:13:24.600
tablet,

0:13:24.600,0:13:27.360
you know look up the MAC address and

0:13:27.360,0:13:28.680
make sure I know which one it is and

0:13:28.680,0:13:30.660
update my lookup table. So if we go back

0:13:30.660,0:13:31.740
here to

0:13:31.740,0:13:35.339
this lookup app the Splunk app for uh

0:13:35.339,0:13:38.220
look lookup file editing and re-run this

0:13:38.220,0:13:39.180
search,

0:13:39.180,0:13:42.620
let's see here just hit refresh

0:13:43.079,0:13:46.500
and I'll have to put in DHCP again. There

0:13:46.500,0:13:48.899
is that lookup table,

0:13:48.899,0:13:51.540
and if I wanted to, I can just click in

0:13:51.540,0:13:53.279
here,

0:13:53.279,0:13:54.839
and now,

0:13:54.839,0:13:58.860
I can start editing this lookup file. So

0:13:58.860,0:14:02.519
I like this device here is, you know,

0:14:02.519,0:14:05.420
my work

0:14:06.000,0:14:08.839
underscore,

0:14:08.880,0:14:11.160
you know, laptop,

0:14:11.160,0:14:13.440
you know, this is

0:14:13.440,0:14:16.019
you know, Dash child

0:14:16.019,0:14:18.360
one,

0:14:18.360,0:14:20.279
and then we have

0:14:20.279,0:14:23.700
Dash child two.

0:14:23.700,0:14:25.740
Click save. You know we can add more

0:14:25.740,0:14:27.959
columns so if I know

0:14:27.959,0:14:30.600
um like right now none of my firewall

0:14:30.600,0:14:34.200
ports are showing up. So I could say

0:14:34.200,0:14:36.720
firewall,

0:14:36.720,0:14:39.240
and if I have the IP address, I can put

0:14:39.240,0:14:40.440
that in there and if I had the MAC

0:14:40.440,0:14:42.560
address,

0:14:42.560,0:14:46.260
dot you know 1.1.

0:14:46.260,0:14:49.380
Let's uh sure,

0:14:49.380,0:14:51.060
just for fun because it doesn't matter,

0:14:51.060,0:14:55.320
I'll just plug this in and you know call

0:14:55.320,0:14:57.240
it 99.

0:14:57.240,0:14:58.860
Save.

0:14:58.860,0:15:01.560
Now when I come back over here

0:15:01.560,0:15:04.139
and I rerun this,

0:15:04.139,0:15:06.600
um well actually if I rerun this ooh,

0:15:06.600,0:15:08.760
almost messed up, if I rerun this it'll

0:15:08.760,0:15:10.920
overwrite the changes well, I'll show you

0:15:10.920,0:15:14.660
that let's see here bam

0:15:16.680,0:15:18.360
foreign

0:15:18.360,0:15:22.199
if I go back over here click lookups.

0:15:22.199,0:15:25.860
Refresh this. Let's see. I'll do another

0:15:25.860,0:15:27.720
refresh here,

0:15:27.720,0:15:31.040
and I'll type in DHCP

0:15:31.040,0:15:34.980
and click DHCP test.

0:15:34.980,0:15:38.459
You can see those changes I made are

0:15:38.459,0:15:42.420
gone now so be careful with that command

0:15:42.420,0:15:44.400
with the output lookup.

0:15:44.400,0:15:45.060
[Music]

0:15:45.060,0:15:46.079
Um,

0:15:46.079,0:15:48.959
so yeah let's, I'll do this time, I'll

0:15:48.959,0:15:51.660
just do this one here and I'll say you

0:15:51.660,0:15:53.220
know work,

0:15:53.220,0:15:55.019
laptop,

0:15:55.019,0:15:57.060
and, you know, I just want to show you

0:15:57.060,0:15:58.980
that you know

0:15:58.980,0:16:01.880
one

0:16:02.040,0:16:04.980
and then Dash two that it does work when

0:16:04.980,0:16:06.899
you click save lookup,

0:16:06.899,0:16:10.459
and what I can do is come here and

0:16:10.459,0:16:13.079
actually I will

0:16:13.079,0:16:16.279
open a new search

0:16:16.440,0:16:20.639
and do a pipe input look up

0:16:20.639,0:16:22.440
DH.

0:16:22.440,0:16:23.720
Yeah.

0:16:23.720,0:16:26.639
DHCP underscore test,

0:16:26.639,0:16:30.019
not CSV.

0:16:31.500,0:16:34.620
And you can see now instead of

0:16:34.620,0:16:37.079
um what it was before I get my work

0:16:37.079,0:16:40.940
laptop, and now I have one and two

0:16:42.779,0:16:45.959
and then for this here, you know, I can

0:16:45.959,0:16:48.360
easily come back you know come back to

0:16:48.360,0:16:52.019
my previous search or I can type it out

0:16:52.019,0:16:53.820
here. I think I've got it copied over

0:16:53.820,0:16:54.779
here,

0:16:54.779,0:16:59.660
you know. Now, I can you know quickly

0:16:59.899,0:17:02.820
oops got to get rid of the extra pipe

0:17:02.820,0:17:05.220
when I copied it,

0:17:05.220,0:17:08.120
and then

0:17:10.199,0:17:12.900
actually what I'll do is

0:17:12.900,0:17:15.179
fields,

0:17:15.179,0:17:18.720
and say dust underscore IP,

0:17:18.720,0:17:23.699
and then stats count by dust underscore

0:17:23.699,0:17:27.140
IP host name,

0:17:32.580,0:17:34.140
and voila.

0:17:34.140,0:17:36.539
So you can see

0:17:36.539,0:17:38.460
where it's grabbing that information. Oh

0:17:38.460,0:17:41.059
I got the wrong

0:17:41.840,0:17:43.799
DHCP,

0:17:43.799,0:17:48.620
underscore test dot CSV,

0:17:54.059,0:17:55.620
oh

0:17:55.620,0:17:59.520
and you can see I have IP here,

0:17:59.520,0:18:02.460
and what I needed to do was actually go

0:18:02.460,0:18:04.500
back to my lookup table,

0:18:04.500,0:18:07.400
and say

0:18:07.440,0:18:11.960
client underscore IP

0:18:12.240,0:18:15.480
and then I believe it's the first one

0:18:15.480,0:18:18.120
here so let's just test that out

0:18:18.120,0:18:19.679
client.

0:18:19.679,0:18:22.799
What did I call that field, again?

0:18:22.799,0:18:24.679
client name

0:18:24.679,0:18:28.679
underscore name.

0:18:31.260,0:18:34.320
And there you go see there's the 133

0:18:34.320,0:18:37.440
which was the A1, and in there is my work

0:18:37.440,0:18:39.900
laptop. So you got to see you got to see

0:18:39.900,0:18:41.460
me fail

0:18:41.460,0:18:44.460
with the field names, but that's a good

0:18:44.460,0:18:46.740
thing because then you saw where you

0:18:46.740,0:18:49.080
know the first field is in your lookup

0:18:49.080,0:18:51.960
table to match in your search results,

0:18:51.960,0:18:54.059
you know. So, the client IP as destination

0:18:54.059,0:18:56.340
IP and then the client name as hostname.

0:18:56.340,0:18:59.760
So instead of it coming out as a client

0:18:59.760,0:19:02.340
name, I have it as you can you know I

0:19:02.340,0:19:05.700
could have easily done this

0:19:05.700,0:19:09.600
and say client underscore name

0:19:09.600,0:19:12.679
if I wanted to.

0:19:12.900,0:19:14.640
You know if that makes more sense for

0:19:14.640,0:19:17.120
you as well,

0:19:17.820,0:19:19.620
and once you've defined that lookup

0:19:19.620,0:19:21.539
table, and you've got it incorporated

0:19:21.539,0:19:24.120
into Splunk you know we can start adding

0:19:24.120,0:19:26.280
that information to dashboards. You may

0:19:26.280,0:19:29.160
have built or other reports so here is a

0:19:29.160,0:19:31.740
a dashboard that I created that looks at

0:19:31.740,0:19:35.220
all the you know devices in my network.

0:19:35.220,0:19:37.799
I use my information my data from the

0:19:37.799,0:19:40.440
DHCP server and compare it to the lookup

0:19:40.440,0:19:42.840
table to see. If there's any changes you

0:19:42.840,0:19:46.080
know, if a new device grabbed a an IP on

0:19:46.080,0:19:49.320
my network that I didn't know about, you

0:19:49.320,0:19:51.000
know I could set up alerts around this

0:19:51.000,0:19:53.700
you know. For example, I do have one here

0:19:53.700,0:19:58.320
for uh you know what so anytime a new

0:19:58.320,0:20:00.360
device comes on here, and it does not

0:20:00.360,0:20:03.660
find a match it actually outputs the

0:20:03.660,0:20:07.020
name what. So that I can go hey what is

0:20:07.020,0:20:07.919
this

0:20:07.919,0:20:11.760
yeah, and what is this so Nintendo 3DS,

0:20:11.760,0:20:13.919
So one of my kids found you know they

0:20:13.919,0:20:16.200
must have turned on their 3DS, they

0:20:16.200,0:20:18.360
haven't used in a while. So I'm gonna go

0:20:18.360,0:20:21.360
edit my lookup table, and here's the MAC

0:20:21.360,0:20:23.340
address. So let's go see if it's already

0:20:23.340,0:20:26.520
in that look up table and not this one

0:20:26.520,0:20:28.880
so I'm going to click lookups here and

0:20:28.880,0:20:34.679
go back into uh Hall DHCP leases,

0:20:34.679,0:20:37.140
and I can either do a filtered search

0:20:37.140,0:20:38.880
for nin,

0:20:38.880,0:20:41.460
and I have one here for an Nintendo 3DS,

0:20:41.460,0:20:44.340
but that's a different Mac address.

0:20:44.340,0:20:46.860
So let's just add this one in place

0:20:46.860,0:20:48.960
because I know there should be two of

0:20:48.960,0:20:49.919
them.

0:20:49.919,0:20:52.140
So I'll just you know insert a row

0:20:52.140,0:20:53.700
afterwards,

0:20:53.700,0:20:57.840
and we'll call this one Nintendo we'll

0:20:57.840,0:20:59.580
say three,

0:20:59.580,0:21:02.960
yeah three DS

0:21:03.120,0:21:04.980
two,

0:21:04.980,0:21:07.799
and we'll give it, yeah. We can see there.

0:21:07.799,0:21:10.140
It is the different Mac address

0:21:10.140,0:21:12.419
and then what IP address did it grab. So

0:21:12.419,0:21:14.100
I'll just grab this IP address because

0:21:14.100,0:21:17.039
that's what my DHCP server has,

0:21:17.039,0:21:19.799
and we will go back over here,

0:21:19.799,0:21:22.919
and we'll say this, I'm going to click

0:21:22.919,0:21:25.580
save lookup,

0:21:25.620,0:21:28.559
all right. And after clicking save look

0:21:28.559,0:21:30.720
up, I should be able to go back to my

0:21:30.720,0:21:31.799
dashboard,

0:21:31.799,0:21:35.299
and I'll just do a refresh

0:21:35.880,0:21:38.880
click okay. Didn't have to click submit,

0:21:38.880,0:21:42.299
and it should not have anything in the

0:21:42.299,0:21:45.059
red column and

0:21:45.059,0:21:47.960
there we go.

0:21:53.880,0:21:55.919
Oh,

0:21:55.919,0:21:59.220
interesting. So now I need to

0:21:59.220,0:22:01.260
as a client name and a host name is

0:22:01.260,0:22:03.600
different. So I'll play around with this

0:22:03.600,0:22:04.500
some more,

0:22:04.500,0:22:06.539
should be the same well client name is

0:22:06.539,0:22:09.120
what my DHCP server sees it, and then

0:22:09.120,0:22:11.820
this is the name I gave it. So I'll have

0:22:11.820,0:22:14.940
to go now go get the kids devices and

0:22:14.940,0:22:16.760
make sure that I don't have a rogue

0:22:16.760,0:22:19.799
Nintendo 3DS on my network which I

0:22:19.799,0:22:22.140
doubt it. I know we have two of them.

0:22:22.140,0:22:25.440
So hopefully this uh video was helpful

0:22:25.440,0:22:28.020
in introducing you to lookups and the

0:22:28.020,0:22:30.240
power of them. If you have any questions

0:22:30.240,0:22:32.520
or comments, please please leave them

0:22:32.520,0:22:36.799
below, and uh Happy spelunking.