topic Re: Lookup csv file, match codes and add field in Splunk Search

Lookup csv file, match codes and add field

erdalcan — Mon, 24 Apr 2017 12:51:28 GMT

I have a csv file containing 2 rows: EventCode and Message Summary
Have added the CSV as a lookup file and I can also read the CSV from splunk (| inputlookup filename.csv)
these are windows events,
I want to compare the windows event id's from Splunk and match them with the csv file and add the field "message summary"
the "message summary" give a short description of the event ID

Re: Lookup csv file, match codes and add field

dineshraj9 — Mon, 24 Apr 2017 12:56:39 GMT

You can do it in query -

index=event sourcetype=event_messages | lookup filename.csv EventCode as EventCode OUTPUT "Message Summary"

Re: Lookup csv file, match codes and add field

erdalcan — Mon, 24 Apr 2017 13:28:17 GMT

I get this eroror

Error in 'inputlookup' command: Invalid argument: 'EventCode'

did double check if the collum Event Code is parsed correctly from the CSV file and it is

Re: Lookup csv file, match codes and add field

dineshraj9 — Mon, 24 Apr 2017 13:30:46 GMT

Check the field EventCode in your lookup and in the raw Splunk events.

| lookup filename.csv <lookup-field1> AS <event-field1> OUTPUT "Message Summary"

Re: Lookup csv file, match codes and add field

DalJeanis — Mon, 24 Apr 2017 15:48:14 GMT

Is there a space in one of the field names "Event Code" or are they both "EventCode"? Watch your capitalization also. Spelling needs to be exact.

Re: Lookup csv file, match codes and add field

woodcock — Mon, 24 Apr 2017 17:55:06 GMT

Let's assume that your sourcetype is WinEventLog:Security and your lookup file is called EventCode.csv.

On your Search Head, navigate to the app that should own the lookup file and then do:
Settings -> Lookups -> Lookup table files -> New -> Choose File -> Save
Then do:
Settings -> Lookups -> Lookup definitions -> New -> Name(="EventCode") -> Lookup file(="EventCode.csv") -> Save
Then do:
Settings -> Lookups -> Automatic lookups -> New -> Name(=EventCodeAutoLookup) -> Apply to sourcetype named(="WinEventLog:Security") -> Lookup input fields(="EventCode") -> Lookup output fields(="message summary")' ->SaveThen do adebug/refresh` on the search head.

No all events with a field EventCode and sourcetype of WinEventLog:Security will automatically call lookup to get message summary field values. You can skip the last step and do it manually within the search by adding | lookup EventCode EventCode OUTPUT "message summary".