Leveraging Lookups and Subsearches

Document Usage Guidelines

• Should be used only for enrolled students
• Not meant to be a self-paced document, an instructor is needed
• Do not distribute

1 March 2023
Leveraging Lookups and Subsearches
turn data into doing™ 2 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Course Goals
• Use lookup commands
• Define subsearch
• Correlate events with subsearches
• Use the return command in a search

Leveraging Lookups and Subsearches

turn data into doing™ 3 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Course Outline
• Using Lookup Commands
• Adding a Subsearch
• Using the return Command

Leveraging Lookups and Subsearches

turn data into doing™ 4 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
 Using
Lookup Commands

Leveraging Lookups and Subsearches

turn data into doing™ 5 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
What is a Lookup?
• Lookups provide enrichment to your event data by appending
fields from another data source (i.e. lookup output fields)
• Splunk provides four types of lookups by default

Lookup Type Description

File-based Populates your events with fields pulled from CSV files

External Uses Python scripts or binary executables to append data

KV Store Accesses key value pairs from a KV Store collection

Geospatial References a KMZ or KML file

Leveraging Lookups and Subsearches

turn data into doing™ 6 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Lookups at Search Time
• Sometimes static (or
relatively unchanging)
data is required for
searches, but isn't
available in the raw
event data Raw event data

• Lookups pull such

data from standalone
files at search time
Lookup input field
and add it to search
results as field values
Lookup output fields

Leveraging Lookups and Subsearches

turn data into doing™ 7 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Topic Objectives
• Define lookups
• Use the inputlookup command to search lookup files
• Use the lookup command to invoke field value lookups
• Use the outputlookup command to create lookups
• Use the lookup command with geospatial lookups

Leveraging Lookups and Subsearches

turn data into doing™ 8 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
inputlookup Command
| inputlookup [<filename>|<lookup-definition>]

• Useful for searching and validating the contents of a lookup table

– Use <filename> for searching lookup .csv or .csv.gz files
– Use a lookup's <lookup-definition> name to search lookup tables
configured for any lookup type
• An event-generating command; should be the first command in a
search following a pipe character

Leveraging Lookups and Subsearches

turn data into doing™ 9 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
inputlookup Command Example
Before a lookup can be 2

searched, a knowledge
manager must upload
the lookup file

products.csv lookup file

1 The lookup file is
uploaded, and you are
given access to the lookup

Leveraging Lookups and Subsearches

turn data into doing™ 10 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
lookup Command: Basic Syntax
...| lookup <lookup-table-name> <lookup-field>

• Use the lookup command to invoke field value lookups

• The <lookup-table-name> can reference:
– Name of CSV file
– Lookup definition name associated with lookup table files

• The lookup's <lookup-field> is used to match against the events

• By default, Splunk adds all remaining fields in the lookup table to
the events

Leveraging Lookups and Subsearches

turn data into doing™ 11 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
 lookup Command: <lookup-destfield>
...| lookup <lookup-table-name> <lookup-field> [OUTPUT|OUTPUTNEW (<lookup-destfield>)]

• You can specify one or more <lookup-destfield> to be added

to the events; also called "lookup output fields"
• Use modifiers to change overwrite behavior for existing field
names that match the lookup output field(s) name(s):
– OUTPUT:overwrite existing fields
– OUTPUTNEW: do not overwrite existing fields

• Lookup output fields only exist for the duration of the search

Leveraging Lookups and Subsearches

turn data into doing™ 12 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Enriching Search Results with Lookup
• This search invokes products.csv lookup and Splunk adds
additional fields to the search results
• A knowledge manager can configure the searches to always
include these fields by making products.csv an automatic lookup

Splunk correlates events

with productId and
adds all remaining
lookup fields to events

Event fields before invoking

| lookup products.csv productId

Leveraging Lookups and Subsearches

turn data into doing™ 13 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
lookup Command Example 1
Scenario ?
Calculate the sales for each
product in the last 24 hours.
index=web sourcetype=access* action=purchase status=200
1 | lookup products.csv productId 2 OUTPUT price product_name
3 | stats sum(price) AS sales BY product_name

• Invoke the products.csv

1

lookup and use productId as

the lookup input field
• Specify price and product_name
2

as lookup output fields

• Lookup output fields are
3

available for statistical

processing by stats
Leveraging Lookups and Subsearches
turn data into doing™ 14 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
lookup Command Example 2
Scenario ?
Your Knowledge Manager
has just uploaded a new
lookup definition for the
promotional holiday index=web sourcetype=access* action=purchase status=200
products. Calculate the | lookup holiday_product_promo productId OUTPUT sale_price product_name
sales for each product in | stats sum(sale_price) AS sales BY product_name
the last 24 hours using the
promotional sale price.

The lookup definition name

is holiday_product_promo
and the promotional price
is sale_price

Leveraging Lookups and Subsearches

turn data into doing™ 15 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Limiting Distinct Values with lookup
• Using the same name for lookupField and lookupDestfield
can limit the number of distinct values for lookupDestfield
• If the value of an event’s lookupDestfield is not present in the
values of lookupField then the value will be set to NULL

index=security sourcetype=linux_secure

index=security sourcetype=linux_secure
| lookup knownusers.csv user OUTPUT user

Leveraging Lookups and Subsearches

turn data into doing™ 16 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
outputlookup Command
...| outputlookup <filename>|<lookup-definition>

• Writes search results to a specified file-based lookup (CSV) or KV

Store collection
• Can be executed from a search, ad-hoc report, scheduled search
or alert
users.csv = filename ...|outputlookup users.csv

usergroup = definition/tablename ...|outputlookup usergroup

Note
If saving to a lookup definition, the
lookup table file or KV collection
must already exist.

Leveraging Lookups and Subsearches

turn data into doing™ 17 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
outputlookup Command (cont.)
The createinapp argument is one of many optional arguments
outputlookup lookup.csv

lookup.csv does not exist

lookup.csv already exists
The createinapp argument
Lookup contents are determines where the lookup
overwritten with the new results is created

createinapp=true (default) createinapp=false

Lookup file created in the lookups directory Lookup file created for the system
of current app lookups directory
outputlookup lookup.csv createinapp=true outputlookup lookup.csv createinapp=false

Leveraging Lookups and Subsearches

turn data into doing™ 18 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
 Using outputlookup with Reports
Create an automatically updated lookup with scheduled reports
index=security sourcetype=linux_secure "failed password" earliest=-30d
| stats count by user
| eval daily_average = round(count/30)
| fields - count
| outputlookup averages.csv createinapp=true

| inputlookup averages.csv

Leveraging Lookups and Subsearches

turn data into doing™ 19 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Geospatial Lookups
• Matches region names in your events to region names in lookup
and outputs fields with corresponding geographic feature info
• Location coordinate ranges are provided by geographic feature
collections: .KML and .KMZ files
• Geospatial lookups can be invoked
in searches to generate choropleth
map visualizations
• Splunk ships with two geospatial
lookup files:
– geo_us_states
.KMZ

Choropleth map visualization

geo_countries
– geo_countries

Leveraging Lookups and Subsearches

turn data into doing™ 20 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Geospatial Lookup Files
geo_countries.kml

• Provides geographic feature <?xml version="1.0" encoding="utf-8" ?>

<kml xmlns="http://www.opengis.net/kml/2.2">
<Document id="root_doc">

information used to define a

<Schema name="countries" id="countries">
<SimpleField name="Name" type="string"></SimpleField>
<SimpleField name="ISO2" type="string"></SimpleField>
<SimpleField name="ISO3" type="string"></SimpleField>

geospatial lookup <SimpleField name="REGION_WB" type="string"></SimpleField>

<SimpleField name="REGION_UN" type="string"></SimpleField>
<SimpleField name="SUBREGION" type="string"></SimpleField>
<SimpleField name="CONTINENT" type="string"></SimpleField>

– KML: a type of XML file </Schema>

<Folder><name>countries</name>
<Placemark>
<name>Aruba</name>
– KMZ: a zipped KML file <Style><LineStyle><color>ff0000ff</color></LineStyle><PolyStyle><fill>0</fill></
PolyStyle></Style>
<ExtendedData><SchemaData schemaUrl="#countries">

• Rely on polygons which are closed

<SimpleData name="ISO2">AW</SimpleData>
<SimpleData name="ISO3">ABW</SimpleData>
<SimpleData name="REGION_WB">Latin America &amp; Caribbean</SimpleData>
<SimpleData name="REGION_UN">Americas</SimpleData>

shapes that start and end at the <SimpleData name="SUBREGION">Caribbean</SimpleData>

<SimpleData name="CONTINENT">North America</SimpleData>
</SchemaData></ExtendedData>
<Polygon><outerBoundaryIs><LinearRing><coordinates>-

same coordinate 69.996937628999916,12.577582098000036 -69.924672003999945,12.519232489000046 -

69.880197719999842,12.453558661000045 -69.888091600999928,12.417669989000046 -
69.930531378999888,12.425970770000035 -69.945139126999919,12.44037506700009 -
69.924672003999945,12.447211005000014 -70.058094855999883,12.537176825000088 -

• Many are available online or can 70.048736131999931,12.583726304000024 -70.061105923999975,12.625392971000068 -

70.048736131999931,12.632147528000104 -
69.996937628999916,12.577582098000036</coordinates></LinearRing></outerBoundaryIs></

be created from scratch using

Polygon>
</Placemark>
geo_countries content for the island country of Aruba.
The Polygon tag (highlighted) contains the coordinates
software such as Google Earth Splunk uses to define its choropleth map data.

Leveraging Lookups and Subsearches

turn data into doing™ 21 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Using Geospatial Lookups: Scenario 1
2 index=<index> sourcetype=<sourcetype>
3 | stats count by featureId
4 | geom <geo_lookup>

• Upload and define the KML/KMZ file to Splunk (in this example, the
1

lookup is geo_lookup)
• Indicate the events data source that contains either a featureId or
2

location name field (or latitude and longitude; see next slide)
• Use a transforming command to aggregate data based on the
3

lookup's geographic output field

• If visualizing results, select and configure a visualization and use
4

the geom command to generate a choropleth map

Leveraging Lookups and Subsearches
turn data into doing™ 22 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Using Geospatial Lookups: Scenario 2
If the event data source does not contain a featureId or location
name field but does contain values for longitude and latitude, then a
lookup must be added with the lookup table name, longitude, and
latitude as arguments
index=<index> sourcetype=<sourcetype>
| lookup geo_lookup latitude longitude
| stats count by featureId
| geom <geo_lookup>

Leveraging Lookups and Subsearches

turn data into doing™ 23 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Using Lookup Command Lab Exercise
Time: 30 minutes
Tasks:
• Verify that a lookup has been uploaded correctly
• Use the lookup command to invoke a lookup in search
• Invoke two lookups in search to find users who have accessed
uncategorized URLs over the last 24 hours
• Generate a choropleth map with the geom command
• Troubleshoot a search that uses the lookup command
• Challenge: Filter a search by excluding values from a lookup
Leveraging Lookups and Subsearches
turn data into doing™ 24 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
 Adding a Subsearch

Leveraging Lookups and Subsearches

turn data into doing™ 25 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Topic Objectives
• Define subsearch
• Use subsearch to filter results
• Identify when to use subsearch
• Understand subsearch limitations and alternatives

Leveraging Lookups and Subsearches

turn data into doing™ 26 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
 What is a Subsearch?
1 • When present in a search pipeline, a subsearch is executed first
and sends its results to the basic (outer) search
– Must start with a generating command (inputlookup, search, etc.)
– Enclosed in square brackets
2 • Subsearch results are combined with an OR Boolean and attached
to the outer search with an AND Boolean
1 [subsearch] field="value1" OR field="value2" OR field="value3"…
index=indexName sourcetype=sourcetypeName
[subsearch] 1
| additional commands 2
index=indexName sourcetype=sourcetypeName AND (field="value1"
Note OR field="value2" OR field="value3"…)
| additional commands
Subsearches can return field pairs in the form of Events from this index/sourcetype containing
(field1="valueA" AND field2="valueA") OR one of these fields are then processed by the
(field1="valueB" AND field2="valueB") AND… remaining commands in the outer search

Leveraging Lookups and Subsearches

turn data into doing™ 27 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
What is a Subsearch? (cont.)
• Multiple subsearches can be used in a search
• Subsearches can be nested
• Great for filtering data that you cannot describe directly in a
search expression
index=network sourcetype=cisco_wsa_squid What the subsearch
[search index=network sourcetype=cisco_wsa_squid sends to the outer search
Scenario ? | stats count by username
Find the most active user over the | sort -count
last 7 days and count this user’s | return 1 username]
events by usage. | stats count by usage, username
| stats list(usage) as usage,
list(count) as count by username

Leveraging Lookups and Subsearches

turn data into doing™ 28 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Using Subsearch with inputlookup
Use a subsearch to access lookup data with inputlookup and
pass values to the search
index=security sourcetype=linux_secure fail* [inputlookup knownusers.csv]
| stats values(src_ip) as attackerIP,
count as failures by user
| search failures > 3

Excerpt from
knownusers.csv

Leveraging Lookups and Subsearches

turn data into doing™ 29 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Using Subsearch with inputlookup (cont.)
Include a NOT operator before a lookup subsearch to exclude
lookup values index=security sourcetype=linux_secure fail* NOT [inputlookup knownusers.csv]
| stats values(src_ip) as attackerIP,
Scenario ? count as failures by user
SecOps is finding an increase in | search failures > 3
penetration attempts. Find | sort -failures
unknown users with more than 3
failed logins within the last
60 minutes.

Leveraging Lookups and Subsearches

turn data into doing™ 30 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Filtering Through Many Results
• Most hacking attempts begin with many failures from
one or more source IP addresses
Scenario ?
The Security Operations manager
wants a list of all IP addresses
that might have been used by
people trying to hack into the
network during the last 4 hours.

• This search counts failures by src_ip and produces many results

• Let’s improve the results and make them more meaningful

Leveraging Lookups and Subsearches

turn data into doing™ 31 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Filtering Through Many Results (cont.)
Scenario ?
The Security Operations manager
wants a list of all IP addresses
that might have been used by
index=security sourcetype=linux_secure
people trying to hack into the "failed password" src_ip!=10.* 1
network during the last 4 hours. 2 | stats count by src_ip
3 | where count > 10

• Focus search on failed password

1

attempts from external src_ip

• Count events by src_ip
2

• Display src_ips with more than

3

10 associated events
• However, it is still unclear if these
src_ips gained network access

Leveraging Lookups and Subsearches

turn data into doing™ 32 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
What are We Trying to Find?

Makes multiple failed attempts at

gaining access to the network …then is finally
123.118.73.155 granted access
to the network.
Hacker using an external IP

• The external IPs we want to find should be associated with

multiple failed attempts and at least one successful attempt
• Use a subsearch to find IPs with multiple failed events
• Then, send these IPs to the outer search to see which IPs
eventually gained access to the network

Leveraging Lookups and Subsearches

turn data into doing™ 33 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
 Filtering with Subsearch
Subsearch
index=security sourcetype=linux_secure "accepted" [search index=security sourcetype=linux_secure
[search index=security sourcetype=linux_secure "failed password" src_ip!=10.*
"failed password" src_ip!=10.* | stats count by src_ip
| stats count by src_ip | where count > 10
| where count > 10 | fields src_ip]
| fields src_ip]
| dedup src_ip
| table src_ip

Outer search
index=security sourcetype=linux_secure "accepted"
AND ( ( src_ip="109.169.32.135" ) OR ( src_ip="128.241.220.82"
) OR ( src_ip="141.146.8.66" ) OR ( src_ip="143.139.165.91" )
OR ( src_ip="144.251.73.1" ) OR ( src_ip="188.138.40.166" ) OR
( src_ip="194.215.205.19" ) OR ( src_ip="21.116.186.136" ) OR (
src_ip="211.166.11.101" ) OR ( src_ip="52.175.19.220" ) OR (
src_ip="59.36.99.70" ) OR ( src_ip="63.239.32.178" ) OR (
src_ip="67.39.247.107" ) OR ( src_ip="69.175.97.11" ) OR (
src_ip="82.15.30.214" ) OR ( src_ip="87.194.216.51" ) )
| dedup src_ip
| table src_ip

Leveraging Lookups and Subsearches

turn data into doing™ 34 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Viewing Results of Subsearch with format
• Run a subsearch separately with the format command as the last
pipe to view output
• Very useful for troubleshooting subsearches
index=security sourcetype=linux_secure "failed password" src_ip!=10.*
| stats count by src_ip
| where count > 10
| fields src_ip
| format

Leveraging Lookups and Subsearches

turn data into doing™ 35 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Subsearch Caveats
Subsearches are limited by both time and event count
Default time limit = 60 seconds Default results limit = 10,000
• If the subsearch continues to run after • When the limit is met, the results
this time, it is finalized are truncated (partial result set)
• Only the events found during that time
are returned to the outer search

• If the outer search executes in real-time, the subsearch executes

over all time by default
– Executingover all time is not recommended for subsearches
– Use earliest and latest in subsearch to avoid executing over all time

Leveraging Lookups and Subsearches

turn data into doing™ 36 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
When to Use Subsearch
Subsearch passes results to the outer search for filtering; therefore,
subsearches work best if they produce a small result set

Results

Inner Search
“Subsearch”

Outer Search

Leveraging Lookups and Subsearches

turn data into doing™ 37 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Alternatives to Subsearch
• If a subsearch produces many results, then it is generally more
efficient to use stats and eval
• Subsearches take longer than other types of searches
• Searches that execute often, e.g. scheduled reports or searches
executed from the dashboard, should not use subsearches

Leveraging Lookups and Subsearches

turn data into doing™ 38 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
 Finding "Tailgaters" with Subsearch
Scenario ?
The CSO wants a list of tailgaters
during the last 4 hours.

A tailgater is someone who

logged into the network but
did not badge into the building

Create an outer search to find users

Create a subsearch to find unique who logged into the network but did
users who badged into the building not appear in subsearch results

Leveraging Lookups and Subsearches

turn data into doing™ 39 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Finding "Tailgaters" with Subsearch (cont.)
2 index=security sourcetype=winauthentication_security
Scenario ?
(EventCode=540 OR EventCode=4624)
The CSO wants a list of tailgaters
3 NOT
during the last 4 hours.
[search index=security 1
sourcetype=history_access
• Use subsearch to find
1 Event_Description=Access
| dedup User
unique users who | fields User]
| stats count by User
badged in | fields - count

• Find users who logged onto

2

the network
• Filter outer search results by
3

excluding users found in

the subsearch
Leveraging Lookups and Subsearches
turn data into doing™ 40 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Finding "Tailgaters" with eval and stats
If you are working with a large set of data, use eval with stats for
better search performance
(index=security sourcetype=winauthentication_security
(EventCode=540 OR EventCode=4624))
OR (index=security sourcetype=history_access
Event_Description=Access)
| eval badge_access = if(sourcetype="history_access", 1, 0)
| stats max(badge_access) as badged_in by User
| where badged_in = 0
| sort User
| fields - badged_in

Using eval and stats

Using subsearch
completes 30% faster

Leveraging Lookups and Subsearches

turn data into doing™ 41 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Troubleshooting Subsearches
• Click after a bracket or parenthesis and a
box encloses the corresponding item
• Run both searches independently to
confirm events are being returned and to
gain an understanding of the data
• Know when it’s efficient to use subsearch versus using a search
with eval and stats

Leveraging Lookups and Subsearches

turn data into doing™ 42 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Adding a Subsearch Lab Exercise
Time: 15 minutes
Tasks:
• Use a subsearch and a lookup to filter search results
• Combine two searches to create a single search with an outer
search and an inner subsearch

Leveraging Lookups and Subsearches

turn data into doing™ 43 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
 Using the
return Command

Leveraging Lookups and Subsearches

turn data into doing™ 44 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Topic Objectives
• Use the return command
• Compare return and fields commands

Leveraging Lookups and Subsearches

turn data into doing™ 45 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
return Results from a Subsearch
...| return [<count>] [<field>…][<alias>=<field>…][$<field>…]

• Used to pass values from a subsearch to the outer search

• <count> is an integer that tells Splunk how many rows of results to
return; by default, Splunk only returns the first row
• Specify one or more <field> to return, separated by spaces
– Use $<field> to return just the values (i.e. no field name)
– Use <alias>=<field> to return and rename fields

Leveraging Lookups and Subsearches

turn data into doing™ 46 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
return Command Examples
index=security sourcetype=linux_secure
"failed password" src_ip!=10.*
| stats count by src_ip
| where count>10
| return src_ip

index=security sourcetype=linux_secure
"failed password" src_ip!=10.*
| stats count by src_ip
| where count>10
| return $src_ip

index=security sourcetype=linux_secure
"failed password" src_ip!=10.*
| stats count by src_ip
| where count>10
| return ip=src_ip

Leveraging Lookups and Subsearches

turn data into doing™ 47 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
return versus fields
Send all values to the outer search with fields or use return if
you want more control over how results are sent to the outer search
Using return gives you more control over how many fields sends all key-value pairs for
values to return and whether to return the field name src_ip that satisfied the search

index=security sourcetype=linux_secure index=security sourcetype=linux_secure

"failed password" src_ip!=10.* "failed password" src_ip!=10.*
| stats count by src_ip | stats count by src_ip
| where count>10 | where count>10
| sort -count | sort -count
| return 3 src_ip | fields src_ip

Leveraging Lookups and Subsearches

turn data into doing™ 48 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Using the return Command Lab Exercise
Time: 10 minutes
Tasks:
• Return search results as key-value pairs
• Use a subsearch to return key-value pairs from a lookup and use
these values to filter search results

Leveraging Lookups and Subsearches

turn data into doing™ 49 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
 Wrap-up Slides

Leveraging Lookups and Subsearches

turn data into doing™ 50 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Wrap-up
• You should now be able to:
– Use lookup, inputlookup commands and subsearches to enrich and
filter search results
– Use the return command to control how subsearch results are sent to
the main search

Leveraging Lookups and Subsearches

turn data into doing™ 51 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
 • Splunk Community Portal –
Community community.splunk.com
• Answers
• Discussions
• Splunk Trust
• User Groups
• Ideas
• Splunk Blogs – splunk.com/blog/
• Splunk Base – splunkbase.com
• Apps
• Curated Collections
• Splunk Docs on Twitter – twitter.com/splunkdocs
• Splunk Dev on Twitter – twitter.com/splunkdev
• Splunk on Slack – splk.it/slack
• .conf – conf.splunk.com
 • Knowledge Base – Search knowledge base,
Community answers, and docs to troubleshoot your issue
• splunk>dev – Documentation for developers
• Splunk Docs – Product, best practices, and tools
documentation for all Splunk products
• Splunk Lantern – Actionable guidance by experts
• Create a case – Support for critical issues
• Contact Us – Find region-specific support
• (855) SPLUNK.S or (855) 775.8657
• Not in the US? Find your local office
• System Status – Cloud Services, Observability
Cloud, Splunk On-Call, Synthetic Monitoring
• Splunk Product Security – Critical Security Alerts,
Quarterly Security Patches, and 3rd Party Bulletins
 © 2022 SPLUNK INC.

Splunk How-To Channel

Free, short videos on a variety of Splunk topics: splk.it/How-To

Leveraging Lookups and Subsearches

turn data into doing™ 54 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Learning Paths
Search Expert – Recommended Courses
Free eLearning courses are highlighted in blue and courses with an *
are present in both learning paths.
• What is Splunk * • Result Modification
• Introduction to Splunk * • Leveraging Lookups and Subsearches
• Using Fields * • Correlation Analysis
• Scheduling Reports and Alerts • Search Under the Hood
• Visualizations • Multivalue Fields
• Statistical Processing • Search Optimization *
• Working with Time
• Comparing Values

Leveraging Lookups and Subsearches

turn data into doing™ 55 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Learning Paths
Knowledge Manager – Recommended Courses
Free eLearning courses are highlighted in blue and courses with an *
are present in both learning paths.
• What is Splunk *
• Introduction to Splunk *
• Using Fields *
• Introduction to Knowledge Objects
• Creating Knowledge Objects
• Creating Field Extractions
turn data into doing™
• Enriching Data with Lookups
• Data Models
• Introduction to Dashboards
• Dynamic Dashboards
• Using Choropleth
• Search Optimization *
Leveraging Lookups and Subsearches
56 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
 © 2022 SPLUNK INC.

Splunk Mobile
• Free app available to all Splunk Cloud
and Splunk Enterprise customers
• Analyze data and receive
actionable alerts on-the-go
with mobile-friendly dashboards
• iOS and Android
• See the Product Brief
• Download for iOS splk.it/ios

Leveraging Lookups and Subsearches

turn data into doing™ 57 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
 Splunk Certification
Offerings & Requirements

Leveraging Lookups and Subsearches

turn data into doing™ 58 Copyright © 2023 Splunk, Inc. All rights reserved | 1 March 2023
Splunk Core and Beyond
Regardless of which Splunk product you use, it all starts with Splunk Core

Splunk Cloud

Splunk Core
Recommended

Splunk Enterprise
App-Specific Offerings
For Splunk Add-Ons

App ES ITSI SOAR

Developer Administration Administration Automation
Developer
Splunk Core Certified User
This entry-level certification demonstrates an individual's basic ability to navigate and use Splunk software

Prerequisite Certification(s): Splunk Core Certified User Exam Congratulations! You are a...
• None Time to study! We suggest candidates looking to prepare for
this exam complete Fundamentals 1 or the following courses:
Prerequisite Course(s): • What is Splunk?
• None • Intro to Splunk
• Using Fields
• Scheduling Reports and Alerts
• Visualizations
• Statistical Processing
• Working with Time Recommended Next Step
• Leveraging Lookups and Subsearches
• Splunk Core Certified Power User
• Search Optimization
• Enriching Data with Lookups
• Data Models
See here for registration assistance.
Splunk Core Certified Power User
This entry-level certification demonstrates an individual's foundational competence of Splunk’s core software

Prerequisite Certification(s): Splunk Core Certified Power User Exam Congratulations! You are a...
• None Time to study! We suggest candidates looking to prepare for
this exam complete Fundamentals 2 or the following courses:
Prerequisite Course(s): • Visualizations
• None • Statistical Processing
• Working with Time
• Comparing Values
• Result Modification
• Correlation Analysis
• Search Under the Hood Recommended Next Steps
• Introduction to Knowledge Objects
• Splunk Core Certified Advanced Power User
• Creating Knowledge Objects
• Creating Field Extractions • Splunk Enterprise Certified Admin
• Data Models
• Using Choropleth • Splunk Cloud Certified Admin

See here for registration assistance.

Splunk Core Certified Advanced Power User
This certification demonstrates an individual's ability to generate complex searches, reports, and dashboards with
Splunk’s core software to get the most out of their data
Prerequisite Certification(s):
• Splunk Core Certified Power User
Prerequisite Course(s):
• None
Splunk Core Certified Advanced Power User Exam Congratulations! You are a...
Time to study! We suggest candidates looking to prepare for this exam
complete Fundamentals 3, Creating Dashboards, and Advanced
Searching & Reporting or the following courses:
• Using Fields
• Working with Time
• Comparing Values
• Result Modification
• Leveraging Lookups and Subsearches
• Correlation Analysis
• Search Under the Hood Recommended Next Steps
• Multivalue Fields
• Splunk Enterprise Certified Admin
• Search Optimization
• Creating Field Extractions • Splunk Cloud Certified Admin
• Enriching Data with Lookups
• Data Models
• Using Choropleth
• Introduction to Dashboards
• Dynamic Dashboards
See here for registration assistance.
Splunk Cloud Certified Admin
This certification demonstrates an individual's ability to support the day-to-day administration and health of a
Splunk Cloud environment
Prerequisite Certification(s):
• Splunk Core Certified Power User
Prerequisite Course(s):
• None
Splunk Cloud Certified Admin Exam Congratulations! You are a...
Time to study! We suggest candidates looking to
prepare for this exam complete either the Splunk
Cloud Administration or the Transitioning to
Splunk Cloud course.
Both courses will equally prepare candidates for
the exam, but are tailored to meet the needs of
the individual based on prior Splunk experience.
Splunk Cloud Administration is designed for
net-new administrators working in a Splunk Cloud Recommended Next Steps
environment. Transitioning to Splunk Cloud is
• Splunk Certified Developer
for experienced Enterprise administrators looking
to maximize their success in migrating to a Cloud
environment.
See here for registration assistance.
Splunk Enterprise Certified Admin
This certification demonstrates an individual's ability to support the day-to-day administration and health of a
Splunk Enterprise environment
Prerequisite Certification(s):
• Splunk Core Certified Power User
Prerequisite Course(s):
• None
Splunk Enterprise Certified Admin Exam Congratulations! You are a...
Time to study! We suggest candidates looking to
prepare for this exam complete the following courses:
• Splunk System Administration
• Splunk Data Administration
See here for registration assistance.
Recommended Next Steps
• Splunk Enterprise Certified Architect
• Splunk Certified Developer
Splunk Certified Architect
This certification demonstrates an individual's ability to deploy, manage, and troubleshoot complex Splunk
Enterprise environments
Prerequisite Certification(s):
• Splunk Core Certified Power User
• Splunk Enterprise Certified Admin
Prerequisite Course(s):
• Architecting Splunk Enterprise Deployments
• Troubleshooting Splunk Enterprise
• Splunk Cluster Administration
• Splunk Deployment Practical Lab
Splunk Enterprise Certified Architect Exam Congratulations! You are a...
Time to study! We require candidates looking to register for
this exam to complete the following prerequisite courses:
• Architecting Splunk Enterprise Deployments
• Troubleshooting Splunk Enterprise
• Splunk Cluster Administration
• Splunk Deployment Practical Lab
Candidates who are Splunk Enterprise Certified Admin
and have completed all of the above courses will automatically
receive an exam authorization for the Splunk Enterprise Recommended Next Steps
Certified Architect exam within 5-7 business days of receiving
their passing lab results. • Splunk Core Certified Consultant
See here for registration assistance.
Splunk Core Certified Consultant
This certification demonstrates an individual's ability to properly size, install, and implement Splunk environments
and to advise others on how to utilize the product and maximize its value for their needs
Prerequisite Certification(s):
• Splunk Core Certified Power User
• Splunk Enterprise Certified Admin
• Splunk Enterprise Certified Architect
Prerequisite Course(s):
• Advanced Power User courses or digital badge*
• Core Consultant Labs
• Indexer Cluster Implementation
• Distributed Search Migration
• Implementation Fundamentals
• Architect Implementation 1-3
• Services Core Implementation
Splunk Core Certified Consultant Exam Congratulations! You are a...
Time to study! We require candidates looking to register
for this exam to complete the following prerequisite
courses:
• Fundamentals 3, Creating Dashboards, Advanced
Searching & Reporting*
• Core Consultant Labs
• Services Core Implementation
Candidates who are Splunk Enterprise Certified
Architects and have completed all of the above courses
must contact [email protected] to request their
Core Consultant exam authorization. Recommended Next Steps
• None
See here for registration assistance.
*These Advanced Power User courses can be replaced with a Splunk
Certified Advanced Power User badge or completion of the following
courses: • Correlation Analysis
• Using Fields • Result Modification
• Creating Field Extractions • Multivalue Fields
• Enriching Data with Lookups • Search Under the Hood
• Data Models • Introduction to Dashboards
• Search Optimization • Dynamic Dashboards
• Working with Time • Using Choropleth
• Leveraging Lookups and Subsearches
• Comparing Values
Splunk Certified Developer
This certification demonstrates an individual's expertise in drilldowns, advanced behaviors and visualizations,
planning, creating, and packaging apps, and REST endpoints

Prerequisite Certification(s):
• Splunk Core Certified Power User
AND
• Splunk Enterprise Certified Admin
OR
• Splunk Cloud Certified Admin
Prerequisite Course(s):
• None
Splunk Certified Developer Exam Congratulations! You are a...
Time to study! We suggest candidates looking
to prepare for this exam complete the
following courses:
• Creating Dashboards with Splunk*
• Advanced Dashboards & Visualizations
• Building Splunk Apps
• Developing with Splunk’s REST API
This course may also be substituted with the Recommended Next Steps
following newly-launched courses:
• None
• Introduction to Dashboards
• Dynamic Dashboards
• Using Choropleth
See here for registration assistance.
Splunk Enterprise Security Certified Admin
This certification demonstrates an individual's ability to install, configure, and manage a Splunk Enterprise
Security deployment

Prerequisite Certification(s): Splunk Enterprise Security Congratulations! You are a...

• None Certified Admin Exam
Time to study! We suggest candidates
Prerequisite Course(s): looking to prepare for this exam complete
• None the following course:
• Administering Splunk Enterprise
Security

Please note: all candidates are expected

to have working knowledge and Recommended Next Steps
experience as either Splunk Cloud or
• Splunk Phantom Certified Admin
Splunk Enterprise Administrators.

See here for registration assistance.

Splunk IT Service Intelligence Certified Admin
This certification demonstrates an individual's ability to deploy, manage, and utilize Splunk ITSI to monitor
mission-critical services

Prerequisite Certification(s): Splunk IT Service Intelligence Certified Congratulations! You are a...
• None Admin Exam
Time to study! We suggest candidates looking to
Prerequisite Course(s): prepare for this exam complete the following
• None course:
• Implementing Splunk IT Service Intelligence

Please note: all candidates are expected to have

working knowledge and experience as either
Splunk Cloud or Splunk Enterprise Recommended Next Steps
Administrators.
• Courses on Observability
See here for registration assistance.
Splunk SOAR Certified Automation Developer
This certification demonstrates an individual's ability to install and configure a SOAR server, integrate it with
Splunk, and plan, design, create, and debug playbooks

Prerequisite Certification(s): Splunk SOAR Certified Automation Congratulations! You are a...
• None Developer Exam
Time to study! We suggest candidates looking to
Prerequisite Course(s): prepare for this exam complete the following courses:
• None • Administering SOAR (Phantom)
• Developing SOAR (Phantom) Playbooks
• Advanced SOAR (Phantom) Implementation

Please note: all candidates are expected to have

working knowledge and experience as either Splunk Recommended Next Steps
Cloud or Splunk Enterprise Administrators. • None
See here for registration assistance.
 © 2022 SPLUNK INC.

Thank You