What is a lookup in Splunk and when should you use it?

Lookups in Splunk are a way to bring in external data to enrich your events by matching fields in your data to a separate dataset. This lets you add extra attributes—like mapping an IP address to a device name, owner, or department—so your searches and dashboards have richer context and you can correlate events with other data sources such as assets or users. Lookups are defined with a lookup table (for example a CSV or a KV store) and a lookup definition, then applied via the lookup command or configured as automatic lookups so enrichment happens automatically during searches. Use lookups whenever you need additional context from data that isn’t in the event itself or when you want to join your event data with external datasets for analysis, alerts, or reporting. They’re not dashboard widgets, export mechanisms, or storage partitions.