topic Search for IDS with inputlookup in Splunk Search

Search for IDS with inputlookup

Aaron283 — Fri, 26 Mar 2021 10:39:25 GMT

So this may be a pretty easy task, however I am not getting it to work the way I want it:

so here is my problem:

I have CSV with 3 columns
id,uid,role
1,2342334,master
2,2342334,slave
3,34234234,master
(...)

Now I want a search on my index that returns me all data where the uid is in the csv.
What I did so far is the following :

index = myindex [ |inputlookup mycsv.csv | fields 10000 $uid ]

However this solution is not perfect.
What I would wanted to achieve should be like this
index= myindex uid=2342334 or uid =34234234 or uid=(..)

Any ideas?

Re: Search for IDS with inputlookup

aasabatini — Fri, 26 Mar 2021 11:14:48 GMT

Hi Aaron

you can use directly the lookup comand

https://docs.splunk.com/Documentation/SCS/current/SearchReference/LookupCommandExamples

inputlookup works different, you can search inside on your lookup table, with the lookup comand you can enrich your data.

Re: Search for IDS with inputlookup

Aaron283 — Fri, 26 Mar 2021 11:27:10 GMT

thanks for the fast reply. Could you give me a short example?

Re: Search for IDS with inputlookup

aasabatini — Fri, 26 Mar 2021 12:00:08 GMT

sure

Basically you must have one field on your data present on the lookup table

by hypothesis will be "ID" field.

example

index = myindex | lookup mycsvfile ID OUTPUT UID ROLE |

with the association the field you can find the fields present on the lookup table to enrich your data set.

would be nice if you can confirm the solution

Thanks!

Re: Search for IDS with inputlookup

Aaron283 — Fri, 26 Mar 2021 11:53:24 GMT

Sorry for the trouble, but I am still not sure if I understand it right.
so by doing "index = myindex | lookup mycsv.csv UID OUTPUT UID | " all UIDs that are in mycsv.csv will be returned?

Re: Search for IDS with inputlookup

aasabatini — Fri, 26 Mar 2021 11:59:18 GMT

Exactly

with this search you can find your UID values on your dataset.

I really appreciate if you can confirm the solution

Re: Search for IDS with inputlookup

Aaron283 — Fri, 26 Mar 2021 12:06:30 GMT

Will do so 🙂
However it seems not to work for me, or I am still not fully understanding it.
The UID is not part of index. the value I want to match the UID COLUMN from the CSV is in a JSON sth like this. things.attributes.UIDThingNumber

So I want to do something like this:
index = myindex "things.attributes.UIDThingNumber"=123 or 456 or 789 and that does not seem to work the way you described it .

I am really sorry if I haven't explained it right

Re: Search for IDS with inputlookup

aasabatini — Fri, 26 Mar 2021 12:12:10 GMT

Hi @Aaron283

you have on your lookup table these fields

ROLE UID and ID

on your dataset you need ID field to match the data no UID field

index = myindex | lookup mycsv.csv ID OUTPUT UID

if you don't have any ID field on your dataset you can create you ID field with eval comand

https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/Eval

Re: Search for IDS with inputlookup

Aaron283 — Fri, 26 Mar 2021 12:16:14 GMT

I think I have much to learn. Still not getting it but thanks for the help