Splunk Search

Compare Search Result Against Lookup File and Output Multiple Fields

Makinde
New Member

Hello,

I am not sure what I am doing wrong but logically I feel this search string should work however it isn't working.

S here is a description of what I am trying to do, I am trying to run a search of my data in Splunk, then output a field named DNS, then lookup each DNS field in a lookup csv file and where there is a match it should output the corresponding Owner. Here is the search string;

index=main sourcetype=ServerList dns=* | dedup dns | table dns | lookup ServerList.csv dns OUTPUT Owner | table dns Owner

What am I doing wrong here, I get the dns field but no Owner field is populated?

0 Karma
1 Solution

somesoni2
Revered Legend

Check the field name in the ServerList.csv file which corresponds to field dns. If they don't have same name OR case is different, above will not work.

In case they are different OR of different case, use this

index=main sourcetype=ServerList dns=* | dedup dns | table dns | lookup ServerList.csv FieldNameInlookup as dns OUTPUT Owner | table dns Owner

View solution in original post

woodcock
Esteemed Legend

Based on your description, all of these MUST be true (and probably one ore more is not) for it to work:
1: There is a field in your events called dns (spelling and punctuation must be exact)
2: There is a field in your lookup file called dns (spelling and punctuation must be exact)
3: There is a field in your lookup file called Owner (spelling and punctuation must be exact)

Also, there should be (and in the latest versions of Splunk possibly must be) a lookup definition with ServerList.csv as the name and as the file to reference.

Also check the logs for bundle replication problems.

somesoni2
Revered Legend

Check the field name in the ServerList.csv file which corresponds to field dns. If they don't have same name OR case is different, above will not work.

In case they are different OR of different case, use this

index=main sourcetype=ServerList dns=* | dedup dns | table dns | lookup ServerList.csv FieldNameInlookup as dns OUTPUT Owner | table dns Owner

Makinde
New Member

I am really confused here as I have minimum of at least 25 searches utilizing the csv file for different types of lookup and I am getting the expected result however this one in particular isn't working.

The fields are correct, word for word. it does actually run, it just doesn't return any values for the Owner field. If the field didn't exist I should get an error that it can't match the fields.

0 Karma

somesoni2
Revered Legend

And you validated that the DNS from your search results are available in the lookup file?

Run this and see if this returns anything.

index=main sourcetype=ServerList dns=* | dedup dns | table dns | eval From="search"| append [| inputlookup  ServerList.csv | table dns Owner | eval From="lookup" ] | stats values(*) as * by dns
0 Karma

Makinde
New Member

Yes I validated the values from the DNS exist in the lookup file.

I ran the each you suggested, I get the DNS from the search, I also get the DNS from the lookupfile with the respective Owners against them.

I guess this confirms the lookup file works and the search criteria works as well. So what do I do to make it work out now?

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...