Solved: baic question on inputlookup

jip31 · ‎04-17-2019

hi

I have diffuclties to understand how inputlookup works
I use the search below
index="x" sourcetype=y source="z" EventCode=6008 which returns events
now I want to do the same check from a csv list
so i am doing

index="x" sourcetype=y source="z" EventCode=6008  [|inputlookup host.csv ]| stats count by host

but I have no results even if the is host from csv file which have eventcode=6008
is my query is wrong?
thanks for your help

Vijeta · ‎04-17-2019

@jip31 You can try below, also make sure the column name in your csv file is host and not Host or anything else.

 index="x" sourcetype=y source="z" EventCode=6008  | lookup host.csv host OUTPUT host|  stats count by host

View solution in original post

Vijeta · ‎04-17-2019

@jip31 You can try below, also make sure the column name in your csv file is host and not Host or anything else.

 index="x" sourcetype=y source="z" EventCode=6008  | lookup host.csv host OUTPUT host|  stats count by host

jip31 · ‎04-17-2019

Thanks
Yes it seems to be ok
last question
Could you confirm that index="x" sourcetype=y source="z" EventCode=6008 [|inputlookup host.csv host OUTPUT host] stats count by host is the same thing that index="x" sourcetype=y source="z" EventCode=6008 | lookup host.csv host OUTPUT host| stats count by host ?

Vijeta · ‎04-17-2019

@jip31 - With inputlookup you don't user the fieldname and OUTPUT. With inputlookup it will be

  index="x" sourcetype=y source="z" EventCode=6008 [|inputlookup host.csv ]| stats count by host

skalliger · ‎04-17-2019

Hi, what you are looking for, is called lookup, not inputlookup. inputlookup is a leading command that just outputs a lookup file. Also, there is no need for the square brackets when using lookup. Just look at the examples mentioned in the docs. 🙂

Skalli

niketn · ‎04-17-2019

@jip31 try with the following subsearch in your query

[|inputlookup host.csv | table host]

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jip31 · ‎04-17-2019

thanks renjith but I have something strange
when I execute this for the host tutu I have events
index="x" sourcetype=y EventCode=* host=tutu
| dedup _time
| stats count(EventCode) as Total by host
| sort -Total limit=10

The host tutu exists in the CSV file but if I done this I have no results....
So it seems that the subsearch not working ...

    index="x" sourcetype=y  EventCode=* 
    | dedup _time [|inputlookup host.csv | table host]
    | stats count(EventCode) as Total by host 
    | sort -Total limit=10

Have you an idea please??

jip31 · ‎04-17-2019

Is this code is correct?

index="X" sourcetype=Y EventCode=* 
  [|lookup host.csv host OUTPUT host]
     | stats count(EventCode) as Total by host 
     | sort -Total limit=10

skalliger · ‎04-17-2019

Like I said, inputlookup is the wrong command for your use case.

jip31 · ‎04-17-2019

ok ...
So i done
index="x" sourcetype=y source="z" EventCode=6008
| dedup _time
| lookup host.csv host
| stats count(EventCode) as Total by host
| sort -Total limit=10

But I have the message Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.

jip31 · ‎04-17-2019

@ skalliger
[|inputlookup host.csv | table host] OR | lookup host.csv host are not the same??

baic question on inputlookup

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life