Solved: How to use inputlookup to filter

Hung_Nguyen · ‎02-23-2016

Hi,

I have multiple queries that I use to do daily report on errors in our production Splunk. I would like to filter out known issues so the report is less cluttered with known issues. I have create a lookup file, let's say "foo.csv", which has content:

known_issues_strings
NOT "known string"
NOT "known issue1"
NOT "known issue2"
NOT "known issue3"
etc .....

Currently my search is like this:

source=*logger* NOT "known string" NOT "known issue1"  NOT "known issue2" NOT "known issue3"

How do I use inputlookup so that I don't need to spell out all the filtering strings in each of my report searches? thanks

dcarmack_splunk · ‎02-24-2016

I think this list would be easier to maintain in a macro, which is simply a condensed search string held in a Splunk knowledge object.

http://docs.splunk.com/Documentation/Splunk/6.0.4/Search/Usesearchmacros

If you insist on a lookup table and intend to search the values as raw strings in the events, you will need to rename the lookup table header field to "query". Query is a reserved field name that allows this type of behavior.

| inputlookup foo.csv | rename myfield AS query | fields query

View solution in original post

dcarmack_splunk · ‎02-24-2016

I think this list would be easier to maintain in a macro, which is simply a condensed search string held in a Splunk knowledge object.

http://docs.splunk.com/Documentation/Splunk/6.0.4/Search/Usesearchmacros

If you insist on a lookup table and intend to search the values as raw strings in the events, you will need to rename the lookup table header field to "query". Query is a reserved field name that allows this type of behavior.

| inputlookup foo.csv | rename myfield AS query | fields query

somesoni2 · ‎02-24-2016

Assuming you want to do a text search of known errors, here is what I would suggest

a) Update your lookup to just have the known error string.
foo.csv

known_issues_strings
"known string"
"known issue1"
"known issue2"
"known issue3"

Update#1

b) Update your base search like this

source=*logger* NOT [| intputlookup foo.csv | eval search="\".known_issues_strings."\"" | table search  ]

Hung_Nguyen · ‎02-24-2016

With your suggestion, this is the produced query

index=tto* NOT ( ( known_issues="known issue1" ) OR ( known_issues="known issue1" ) )

so it doesn't produce the right result. is it possible for me to tell splunk not the use the field? one way I can think of is change the csv column header to be the same as my field name and add wildcard

my_field_name
 "*known issue1*"
 "*known issue2*"

so it would produce

index=tto* NOT ( ( my_field_name="*known issue1*" ) OR ( my_field_name="*known issue1*" ) )

Although i wonder if the wild card can have a perf hit.

somesoni2 · ‎02-24-2016

Try the updated search, which will append double quotes around the values it retrieved from lookup.

fdi01 · ‎02-24-2016

try like :

sourcetype=logger   [|inputlookup foo.csv ] |...

HeinzWaescher · ‎02-24-2016

sourcetype=logger AND NOT [|inputlookup foo.csv | fields+ known_issue_strings | rename known_issue_strings AS "your_error_field"]

stephanefotso · ‎02-24-2016

Hello. Search the foo.csv lookup file (under $SPLUNK_HOME/etc/system/lookups or $SPLUNK_HOME/etc/apps//lookups). like this:

| inputlookup foo.csv

For more informations about the inputlookup command read this: http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Inputlookup
Thanks

How to use inputlookup to filter

Enterprise Security Content Updates (ESCU) - New Releases

Thought Leaders are Validating Your Hard Work and Training Rigor

.conf23 Registration is Now Open!