- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Lookup csv file, match codes and add field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a csv file containing 2 rows: EventCode and Message Summary
Have added the CSV as a lookup file and I can also read the CSV from splunk (| inputlookup filename.csv)
these are windows events,
I want to compare the windows event id's from Splunk and match them with the csv file and add the field "message summary"
the "message summary" give a short description of the event ID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do it in query -
index=event sourcetype=event_messages | lookup filename.csv EventCode as EventCode OUTPUT "Message Summary"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's assume that your sourcetype is WinEventLog:Security and your lookup file is called EventCode.csv.
On your Search Head, navigate to the app that should own the lookup file and then do:
Settings -> Lookups -> Lookup table files -> New -> Choose File -> Save
Then do:
Settings -> Lookups -> Lookup definitions -> New -> Name(="EventCode") -> Lookup file(="EventCode.csv") -> Save
Then do:
Settings -> Lookups -> Automatic lookups -> New -> Name(=EventCodeAutoLookup) -> Apply to sourcetype named(="WinEventLog:Security") -> Lookup input fields(="EventCode") -> Lookup output fields(="message summary")' ->Save
Then do a
No all events with a field EventCode and sourcetype of WinEventLog:Security will automatically call lookup to get message summary field values. You can skip the last step and do it manually within the search by adding | lookup EventCode EventCode OUTPUT "message summary".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do it in query -
index=event sourcetype=event_messages | lookup filename.csv EventCode as EventCode OUTPUT "Message Summary"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I get this eroror
Error in 'inputlookup' command: Invalid argument: 'EventCode'
did double check if the collum Event Code is parsed correctly from the CSV file and it is
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check the field EventCode in your lookup and in the raw Splunk events.
| lookup filename.csv <lookup-field1> AS <event-field1> OUTPUT "Message Summary"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a space in one of the field names "Event Code" or are they both "EventCode"? Watch your capitalization also. Spelling needs to be exact.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
