topic Re: display results from map on inputlookup as events in Splunk Search

display results from map on inputlookup as events

fvegdom — Mon, 29 May 2017 07:07:29 GMT

I have a search like this:

|inputlookup CSV-Generic-GenCus-GenLBL-SensitiveDataKeyWords.csv | map [search index="*" $keyword$ | eval kw=$keyword$, rex=$regex$ | regex($regex$)]

the results I get back from it are displayed as statistics, not as event, even though the search under the map obviously finds events. Is there a way to display them as events?

Re: display results from map on inputlookup as events

ggssa2000 — Mon, 29 May 2017 07:38:32 GMT

Hi fvegdom,

in my experience, the result you got when you using "inputlookup" function is a table, not events.
So if you want to mask or replace sensitive keywords from invoking CSV file, maybe the command order needs changes.

Here is my thought :
[ your data from index ] | lookup or append CSV file | map command
you will get events from search events first, and your using lookup or append function to process your data.

Have a try 🙂

Ref:
1. Append, https://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Append
2. Map, http://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Map
3. inputlookup, http://docs.splunk.com/Documentation/Splunk/6.6.1/SearchReference/Inputlookup

Re: display results from map on inputlookup as events

woodcock — Mon, 29 May 2017 15:41:59 GMT

It is not possible; the minute that you mix your search stream with inputlookup, you lose the Events tab, period.

Re: display results from map on inputlookup as events

fvegdom — Mon, 29 May 2017 19:54:39 GMT

Thank you for your answer, I am not surprised that the inputlookup gives me a table, I just want it to do a search for each record in the table and then show the resulting events.

Thanks for your suggestion
I am not sure that will achieve the same result though, and it looks like it would have to retieve all events first.

My current implementation is such that it is doing a keyword search for each keyword in the file.
which is running fairly efficiently.

Re: display results from map on inputlookup as events

fvegdom — Mon, 29 May 2017 19:55:28 GMT

That's good to know.

Re: display results from map on inputlookup as events

ggssa2000 — Tue, 30 May 2017 03:29:09 GMT

If you already understand it's a table when using "inputlookup" function, and you really want to replace the value via table. You need carefully when processing the csv table format.

For example,

| inputlookup filename.csv ---> you will get a fieldname with value. and if you want to using pipeline | to process the previous data, you need using like this:

| inputlookup filename.csv | search sensitive_kw="12345"

All I want to express is it can't be type the command just like normal situation, like
index=test_indexname "12345" The second example you will get the result you are expected, however the first one not. So when you deal with the inputlookupfunction, the fields name you want to process needs to specify in the SPL.

Hope this can help to solve your problem 🙂