Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to lookup two fields and match with base search?

johanhakim
Explorer
‎05-12-2022 08:03 PM

Hi,

I have 2 queries:

Query1:

Message1,EventCode,Status

aaaaa,4625,0XC0000234

Query2:

Status,EventCode,action

0xC0000234,4625,denied

0XC0000234,4776,failure

*note the lower and uppercase "x". Case sensitive

In Query1, the status field is always uppercase (e.g. 0XC0000234 and not 0xC0000234 nor 0xc0000234)

When i perform a search and lookup:

index=a host=b | table Message1,EventCode,Status 

| lookup blabla.csv Status OUTPUT action

I'm getting the output:

Message1,EventCode,Status,action

aaaaa,4625,0XC0000234,failure

Above is incorrect as 4625 should return "denied" instead of "failure"

How do i do a lookup to first:

  1. Check the EventCode
  2. Return the corresponding action field with case insensitive

Or is there a better way aside from the 2 points i mentioned above?

Appreciate the help!

 

Labels (1)
Labels
Tags (3)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-13-2022 12:48 AM 
index=a host=b | table Message1,EventCode,Status 

| lookup blabla.csv Status EventCode OUTPUT action

If the lookup is file based, you can check/uncheck the case sensitive box (in lookup definitions - advanced settings)

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...