topic Re: baic question on inputlookup in Splunk Search

baic question on inputlookup

jip31 — Wed, 17 Apr 2019 08:05:43 GMT

I have diffuclties to understand how inputlookup works
I use the search below
index="x" sourcetype=y source="z" EventCode=6008 which returns events
now I want to do the same check from a csv list
so i am doing

index="x" sourcetype=y source="z" EventCode=6008  [|inputlookup host.csv ]| stats count by host

but I have no results even if the is host from csv file which have eventcode=6008
is my query is wrong?
thanks for your help

Re: baic question on inputlookup

niketn — Wed, 17 Apr 2019 08:10:40 GMT

@jip31 try with the following subsearch in your query

[|inputlookup host.csv | table host]

Re: baic question on inputlookup

skalliger — Wed, 17 Apr 2019 08:11:20 GMT

Hi, what you are looking for, is called lookup, not inputlookup. inputlookup is a leading command that just outputs a lookup file. Also, there is no need for the square brackets when using lookup. Just look at the examples mentioned in the docs. 🙂

Skalli

Re: baic question on inputlookup

jip31 — Wed, 17 Apr 2019 09:25:58 GMT

thanks renjith but I have something strange
when I execute this for the host tutu I have events
index="x" sourcetype=y EventCode=* host=tutu
| dedup _time
| stats count(EventCode) as Total by host
| sort -Total limit=10

The host tutu exists in the CSV file but if I done this I have no results....
So it seems that the subsearch not working ...

    index="x" sourcetype=y  EventCode=* 
    | dedup _time [|inputlookup host.csv | table host]
    | stats count(EventCode) as Total by host 
    | sort -Total limit=10

Have you an idea please??

Re: baic question on inputlookup

skalliger — Wed, 17 Apr 2019 09:31:32 GMT

Like I said, inputlookup is the wrong command for your use case.

Re: baic question on inputlookup

jip31 — Wed, 17 Apr 2019 09:59:36 GMT

ok ...
So i done
index="x" sourcetype=y source="z" EventCode=6008
| dedup _time
| lookup host.csv host
| stats count(EventCode) as Total by host
| sort -Total limit=10

But I have the message Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.

Re: baic question on inputlookup

jip31 — Wed, 17 Apr 2019 10:32:10 GMT

@ skalliger
[|inputlookup host.csv | table host] OR | lookup host.csv host are not the same??

Re: baic question on inputlookup

Vijeta — Wed, 17 Apr 2019 15:12:13 GMT

@jip31 You can try below, also make sure the column name in your csv file is host and not Host or anything else.

 index="x" sourcetype=y source="z" EventCode=6008  | lookup host.csv host OUTPUT host|  stats count by host

Re: baic question on inputlookup

jip31 — Wed, 17 Apr 2019 15:20:09 GMT

Is this code is correct?

index="X" sourcetype=Y EventCode=* 
  [|lookup host.csv host OUTPUT host]
     | stats count(EventCode) as Total by host 
     | sort -Total limit=10

Re: baic question on inputlookup

jip31 — Wed, 17 Apr 2019 15:42:22 GMT

Thanks
Yes it seems to be ok
last question
Could you confirm that index="x" sourcetype=y source="z" EventCode=6008 [|inputlookup host.csv host OUTPUT host] stats count by host is the same thing that index="x" sourcetype=y source="z" EventCode=6008 | lookup host.csv host OUTPUT host| stats count by host ?

Re: baic question on inputlookup

Vijeta — Wed, 17 Apr 2019 15:57:46 GMT

@jip31 - With inputlookup you don't user the fieldname and OUTPUT. With inputlookup it will be

  index="x" sourcetype=y source="z" EventCode=6008 [|inputlookup host.csv ]| stats count by host