How do I display all fields from a lookup file via...

sarwshai · ‎09-19-2018

I have a lookup which has 6-7 fields. One of them is src_ip, which I'm trying to use in a search as follows:

index=myindex "searchterm" [| inputlookup "mylookup.csv" | fields src_ip] | stats values(field1) values(field2) by src_ip

Here it matches src_ip in "myindex" and brings out 3 fields i.e src_ip, field1, field2. However i want all the fields from the lookup in the results to compare only the src_ip with fields in "myindex" .

Is this possible?

datasearchninja · ‎09-19-2018

The most perfomant option will be to look them up from the lookup after the stats command

So:

index=myindex "searchterm" [| inputlookup "mylookup.csv" | fields src_ip] 
| stats values(field1) values(field2) by src_ip
| lookup mylookup.csv src_ip

sarwshai · ‎09-20-2018

No, that doesn't work, an error comes for this,

Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '375' of search query 'search index=myindex url=myurl | search [ | i...{snipped} {errorcontext = Action | [lookup "DH}'.

However i found a way for this and successfully displayed all fields from lookup while matching only one, below is the query,

datasearchninja · ‎09-23-2018

Your query is using join when it shouldn't the correct use for this is as I suggested. Note this is lookup, not inputlookup:

index=myindex "searchterm" [| inputlookup "mylookup.csv" | fields src_ip]
|stats values(field1) values(field2) by src_ip
|lookup mylookup.csv src_ip

How do I display all fields from a lookup file via inputlookup , but match only one in the search?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...