Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me with a lookuptable question?

adabud6267
Explorer
‎01-09-2019 07:44 AM

Hello all,

I have indexed data that contains an extracted field (domain) and a CSV (https.csv) file with the following headers URL,IP,Location_Code,Location_Name. I'd like to return ONLY events that concern the domains in the CSV files. 

| lookup https URL as domain OUTPUT IP, Location_Code, Location_Name

Would the above return only the events where the domain fields values match the values under the URL header in my CSV file?

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-09-2019 08:09 AM

Hi adabud6267,
try something like this:

index=domain [ | inputlookup https | rename URL as domain | fields domain ]
| ...

beware that the field name (domain) must be the same in main search and subsearch.

If you want to run the search with a substring of URL field, you have to extract it using substr function or a regex.

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-09-2019 08:09 AM

Hi adabud6267,
try something like this:

index=domain [ | inputlookup https | rename URL as domain | fields domain ]
| ...

beware that the field name (domain) must be the same in main search and subsearch.

If you want to run the search with a substring of URL field, you have to extract it using substr function or a regex.

Bye.
Giuseppe

Reply
Solved! Jump to solution

adabud6267
Explorer
‎01-22-2019 12:06 AM

Hello @cusello

Thank you for your answer! It works. Please tell me on thing.

will www.domain-foo.com match domain-foo.com ?

Also it appears, that I cannot use the fields from the csv file as I would do it with the lookup command. I'd like to add a column containing the city code from the CSV file if a domain match is found.

Thank you and I appreciate your help !

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-23-2019 05:53 AM

To match a substring, you can use "*" at the beginning and the end of the string in you search.
Otherwise, in you search you can use

index=domain [ | inputlookup https | rename URL as query | fields query ]
| ...

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-22-2019 05:37 AM

@adabud6267 If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...