Splunk Enterprise

How to lookup two fields and match with base search?

johanhakim
Explorer

Hi,

I have 2 queries:

Query1:

Message1,EventCode,Status

aaaaa,4625,0XC0000234

Query2:

Status,EventCode,action

0xC0000234,4625,denied

0XC0000234,4776,failure

*note the lower and uppercase "x". Case sensitive

In Query1, the status field is always uppercase (e.g. 0XC0000234 and not 0xC0000234 nor 0xc0000234)

When i perform a search and lookup:

index=a host=b | table Message1,EventCode,Status 

| lookup blabla.csv Status OUTPUT action

I'm getting the output:

Message1,EventCode,Status,action

aaaaa,4625,0XC0000234,failure

Above is incorrect as 4625 should return "denied" instead of "failure"

How do i do a lookup to first:

  1. Check the EventCode
  2. Return the corresponding action field with case insensitive

Or is there a better way aside from the 2 points i mentioned above?

Appreciate the help!

 

Labels (1)
Tags (3)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=a host=b | table Message1,EventCode,Status 

| lookup blabla.csv Status EventCode OUTPUT action

If the lookup is file based, you can check/uncheck the case sensitive box (in lookup definitions - advanced settings)

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...