Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

inputlookup question, can't find answer anywhere

jonbalderston
Explorer
‎08-28-2013 08:20 AM

I have a lookup which works, it's not matched to a field, it has to search in the raw event.

[|inputlookup MyFile.csv| fields column_name| rename column_name as search | format]

This finds all results with names in MyFile.csv and highlights in results.

I want to output to a table with the result (what the match was from the CSV file). i.e.
time,StringFound, etc

I can do table, etc with everything else in event, just not what was matched from MyFile.csv

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

jpass
Contributor
‎08-28-2013 06:39 PM

This will do the trick. I can't remember where I got it or who helped me put it together but it works...

  • This assumes your lookup table has a single field called 'phrase'.
  • For example, if you want to search for any reference to a list of IPs
  • A column called 'hit' is created

  • If your events have a unique key (like a primary key) you can at a 'transaction primarykey' to group all events that contain multiple 'hits'

    index=yourindex [| inputlookup MyFile.csv | rename phrase as search | fields search | format] | eval rawText= _raw | eval hit=[| inputlookup MyFile.csv | stats values(phrase) as query | eval query=mvjoin(query,",") | fields query | eval query = "\"".query."\""] | eval hit=split(hit,",") | mvexpand hit | eval hit=lower(hit) | eval rawText=lower(rawText) | where like(rawText,"%"+hit+"%") | TABLE *

View solution in original post

Reply
Solved! Jump to solution
Solution

jpass
Contributor
‎08-28-2013 06:39 PM

This will do the trick. I can't remember where I got it or who helped me put it together but it works...

  • This assumes your lookup table has a single field called 'phrase'.
  • For example, if you want to search for any reference to a list of IPs
  • A column called 'hit' is created

  • If your events have a unique key (like a primary key) you can at a 'transaction primarykey' to group all events that contain multiple 'hits'

    index=yourindex [| inputlookup MyFile.csv | rename phrase as search | fields search | format] | eval rawText= _raw | eval hit=[| inputlookup MyFile.csv | stats values(phrase) as query | eval query=mvjoin(query,",") | fields query | eval query = "\"".query."\""] | eval hit=split(hit,",") | mvexpand hit | eval hit=lower(hit) | eval rawText=lower(rawText) | where like(rawText,"%"+hit+"%") | TABLE *

Reply
Solved! Jump to solution

jpass
Contributor
‎08-29-2013 06:55 AM

sure no problem. Glad I could help someone as opposed to getting help from others.

0 Karma
Reply
Solved! Jump to solution

jonbalderston
Explorer
‎08-29-2013 01:36 AM

It works! I had to change """.query.""" to "".query."" though, otherwise it returns an error. Thanks!!!

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎08-28-2013 06:19 PM

I think to be able to answer if there is a sample of the data and of the entire search statement.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...