Archive

Lookup csv file, match codes and add field

erdalcan
New Member

I have a csv file containing 2 rows: EventCode and Message Summary
Have added the CSV as a lookup file and I can also read the CSV from splunk (| inputlookup filename.csv)
these are windows events,
I want to compare the windows event id's from Splunk and match them with the csv file and add the field "message summary"
the "message summary" give a short description of the event ID

Tags (1)
0 Karma
1 Solution

dineshraj9
Builder

You can do it in query -

index=event sourcetype=event_messages | lookup filename.csv EventCode as EventCode OUTPUT "Message Summary"

View solution in original post

0 Karma

woodcock
Esteemed Legend

Let's assume that your sourcetype is WinEventLog:Security and your lookup file is called EventCode.csv.

On your Search Head, navigate to the app that should own the lookup file and then do:
Settings -> Lookups -> Lookup table files -> New -> Choose File -> Save
Then do:
Settings -> Lookups -> Lookup definitions -> New -> Name(="EventCode") -> Lookup file(="EventCode.csv") -> Save
Then do:
Settings -> Lookups -> Automatic lookups -> New -> Name(=EventCodeAutoLookup) -> Apply to sourcetype named(="WinEventLog:Security") -> Lookup input fields(="EventCode") -> Lookup output fields(="message summary")' ->Save
Then do a
debug/refresh` on the search head.

No all events with a field EventCode and sourcetype of WinEventLog:Security will automatically call lookup to get message summary field values. You can skip the last step and do it manually within the search by adding | lookup EventCode EventCode OUTPUT "message summary".

dineshraj9
Builder

You can do it in query -

index=event sourcetype=event_messages | lookup filename.csv EventCode as EventCode OUTPUT "Message Summary"

View solution in original post

0 Karma

erdalcan
New Member

I get this eroror

Error in 'inputlookup' command: Invalid argument: 'EventCode' 

did double check if the collum Event Code is parsed correctly from the CSV file and it is

0 Karma

dineshraj9
Builder

Check the field EventCode in your lookup and in the raw Splunk events.

| lookup filename.csv <lookup-field1> AS <event-field1> OUTPUT "Message Summary"

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Is there a space in one of the field names "Event Code" or are they both "EventCode"? Watch your capitalization also. Spelling needs to be exact.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!