topic How can I compare values from a lookup file with the indexed data? in Splunk Search

How can I compare values from a lookup file with the indexed data?

Yaichael — Wed, 17 Jan 2018 15:38:58 GMT

Hi,

A lookup file, with a single column, was configured for comparing the data that it's already indexed. The lookup table file was uploaded correctly and the lookup definition was done correctly but, I can't seem to come up with the correct query for this.

Any ideas?

Thanks!

Re: How can I compare values from a lookup file with the indexed data?

somesoni2 — Wed, 17 Jan 2018 16:05:41 GMT

Without know what type of information the lookup contains and how it relates to your indexed data, I'm assuming your lookup has some search part (e.g. sourcetype, host or some keyword you want to search) and you want to see if those search parts appear in your indexed data (may be for specific indexes), you can use lookup in subsearch like this

If your lookup field name has matching field name in your indexed data

your base search to get indexed data [| inputlookup yourLookupDefinition | table YourLookupFieldName  ]

If your lookup field name doesn't have matching field name in your indexed data

your base search to get indexed data [| inputlookup yourLookupDefinition | table YourLookupFieldName  | rename YourLookupFieldName  as yourIndexedDataFieldName]

If your lookup field is keyword and you're trying to search it in raw events of your indexed data

your base search to get indexed data [| inputlookup yourLookupDefinition | table YourLookupFieldName  | rename YourLookupFieldName  as search]

Re: How can I compare values from a lookup file with the indexed data?

493669 — Wed, 17 Jan 2018 16:09:09 GMT

could you please share sample data and sample lookup data and output what you want to achieve..

Re: How can I compare values from a lookup file with the indexed data?

Yaichael — Wed, 17 Jan 2018 16:37:07 GMT

Thanks for the reply, somesoni2.

My case is the second example, which I executed but, it isn't returning anything. If I execute the following query separately it does return results:

| inputlookup yourLookupDefinition | table YourLookupFieldName  | rename YourLookupFieldName  as yourIndexedDataFieldName

Thanks!

Re: How can I compare values from a lookup file with the indexed data?

somesoni2 — Wed, 17 Jan 2018 16:41:54 GMT

What's the search you tried? Hopefully your correctly replace the lookup and field names from my query (field names are case sensitive).

Re: How can I compare values from a lookup file with the indexed data?

Yaichael — Wed, 17 Jan 2018 18:27:00 GMT

I tried the following search:

your base search to get indexed data [| inputlookup yourLookupDefinition | table YourLookupFieldName | rename YourLookupFieldName as yourIndexedDataFieldName]

where yourIndexedDataFieldName is an extracted field. Taking in consideration that field names are case sensitive, I rechecked the query and everything looks fine.

Re: How can I compare values from a lookup file with the indexed data?

Yaichael — Wed, 17 Jan 2018 20:16:04 GMT

The query is correct but, there isn't any data present that matches the values from the lookup file.

Thanks for the help!