I have a csv file containing 2 rows: EventCode and Message Summary
Have added the CSV as a lookup file and I can also read the CSV from splunk (| inputlookup filename.csv)
these are windows events,
I want to compare the windows event id's from Splunk and match them with the csv file and add the field "message summary"
the "message summary" give a short description of the event ID
Let's assume that your sourcetype is
WinEventLog:Security and your lookup file is called
On your Search Head, navigate to the app that should own the lookup file and then do:
Lookup table files ->
Choose File ->
Lookup definitions ->
Lookup file(="EventCode.csv") ->
Automatic lookups ->
Apply to sourcetype named(="WinEventLog:Security") ->
Lookup input fields(="EventCode") ->
Lookup output fields(="message summary")' ->Save
debug/refresh` on the search head.
Then do a
No all events with a field
WinEventLog:Security will automatically call lookup to get
message summary field values. You can skip the last step and do it manually within the search by adding
| lookup EventCode EventCode OUTPUT "message summary".
I get this eroror
Error in 'inputlookup' command: Invalid argument: 'EventCode'
did double check if the collum Event Code is parsed correctly from the CSV file and it is