Lookup Manifest Schema

https://api.splunkresearch.com/schemas/lookups.json

A object that defines a lookup file and its properties.

Abstract Extensible Status Identifiable Custom Properties Additional Properties Access Restrictions Defined In
Can be instantiated No Unknown status No Forbidden Allowed none lookups.spec.json

Lookup Manifest Type

object (Lookup Manifest)

one (and only one) of

Lookup Manifest Properties

Property Type Required Nullable Defined by
case_sensitive_match string Optional cannot be null Lookup Manifest
collection string Optional cannot be null Lookup Manifest
default_match string Optional cannot be null Lookup Manifest
description string Optional cannot be null Lookup Manifest
fields_list string Optional cannot be null Lookup Manifest
filename string Optional cannot be null Lookup Manifest
filter string Optional cannot be null Lookup Manifest
match_type string Optional cannot be null Lookup Manifest
max_matches integer Optional cannot be null Lookup Manifest
min_matches integer Optional cannot be null Lookup Manifest
name string Optional cannot be null Lookup Manifest

case_sensitive_match

What the macro is intended to filter

case_sensitive_match

case_sensitive_match Type

string

case_sensitive_match Constraints

enum: the value of this property must be equal to one of the following values:

Value Explanation
"true"  
"false"  

case_sensitive_match Examples

'true'

collection

Name of the collection to use for this lookup

collection

collection Type

string

collection Examples

prohibited_apps_launching_cmd

default_match

The default value if no match is found

default_match

default_match Type

string

default_match Examples

'true'

description

The description of this lookup

description

description Type

string

description Examples

This lookup contains file names that exist in the Windows\System32 directory

fields_list

A comma and space separated list of field names

fields_list

fields_list Type

string

fields_list Examples

_key, dest, process_name

filename

The name of the file to use for this lookup

filename

filename Type

string

filename Examples

prohibited_apps_launching_cmd.csv

filter

Use this attribute to improve search performance when working with significantly large KV

filter

filter Type

string

filter Examples

dest="SPLK_*"

match_type

A comma and space-delimited list of <match_type>(<field_name>) specification to allow for non-exact matching

match_type

match_type Type

string

match_type Examples

WILDCARD(process)

max_matches

The maximum number of possible matches for each input lookup value

max_matches

max_matches Type

integer

max_matches Examples

'100'

min_matches

Minimum number of possible matches for each input lookup value

min_matches

min_matches Type

integer

min_matches Examples

'1'

name

The name of the lookup to be used in searches

name

name Type

string

name Examples

isWindowsSystemFile_lookup