Solved: help on a field rename in a subsearch

jip31 · ‎07-05-2019

hi

I use the subsearch below in order to match host in host.csv with host in the index
But in the index, the host field is called USERNAME
So I am doing a rename in my subsearch but I am unable to match with the index events
what is the problem please??

[| inputlookup host.csv 
    | table host| rename host as USERNAME ] index=A sourcetype=wireless USERNAME=TOTA

DavidHourani · ‎07-05-2019

Hi @jip31,

Maybe USERNAME=TOTA is causing the problem as it only filters on TOTA. Try it as follows :

index=A sourcetype=wireless   [| inputlookup host.csv | table host| rename host as USERNAME ]

If you want to enrich your data with the lookup then this should do :

index=A sourcetype=wireless  | lookup host.csv host AS USERNAME

Best regards,
David

View solution in original post

DavidHourani · ‎07-05-2019

Hi @jip31,

Maybe USERNAME=TOTA is causing the problem as it only filters on TOTA. Try it as follows :

index=A sourcetype=wireless   [| inputlookup host.csv | table host| rename host as USERNAME ]

If you want to enrich your data with the lookup then this should do :

index=A sourcetype=wireless  | lookup host.csv host AS USERNAME

Best regards,
David

jip31 · ‎07-05-2019

thanks to you

chrispounds · ‎07-05-2019

I think you need to place the search before the lookup, so it would look something like this

index-A sourcetype=wireless USERNAME=TOTA [inputlookup host.csv | table host | rename host as USERNAME]

See if that works perhaps?

jip31 · ‎07-05-2019

its not working...

help on a field rename in a subsearch

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!