Splunk Search

Compare Search Result Against Lookup File and Output Multiple Fields

New Member

Hello,

I am not sure what I am doing wrong but logically I feel this search string should work however it isn't working.

S here is a description of what I am trying to do, I am trying to run a search of my data in Splunk, then output a field named DNS, then lookup each DNS field in a lookup csv file and where there is a match it should output the corresponding Owner. Here is the search string;

index=main sourcetype=ServerList dns=* | dedup dns | table dns | lookup ServerList.csv dns OUTPUT Owner | table dns Owner

What am I doing wrong here, I get the dns field but no Owner field is populated?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Check the field name in the ServerList.csv file which corresponds to field dns. If they don't have same name OR case is different, above will not work.

In case they are different OR of different case, use this

index=main sourcetype=ServerList dns=* | dedup dns | table dns | lookup ServerList.csv FieldNameInlookup as dns OUTPUT Owner | table dns Owner

View solution in original post

Esteemed Legend

Based on your description, all of these MUST be true (and probably one ore more is not) for it to work:
1: There is a field in your events called dns (spelling and punctuation must be exact)
2: There is a field in your lookup file called dns (spelling and punctuation must be exact)
3: There is a field in your lookup file called Owner (spelling and punctuation must be exact)

Also, there should be (and in the latest versions of Splunk possibly must be) a lookup definition with ServerList.csv as the name and as the file to reference.

Also check the logs for bundle replication problems.

SplunkTrust
SplunkTrust

Check the field name in the ServerList.csv file which corresponds to field dns. If they don't have same name OR case is different, above will not work.

In case they are different OR of different case, use this

index=main sourcetype=ServerList dns=* | dedup dns | table dns | lookup ServerList.csv FieldNameInlookup as dns OUTPUT Owner | table dns Owner

View solution in original post

New Member

I am really confused here as I have minimum of at least 25 searches utilizing the csv file for different types of lookup and I am getting the expected result however this one in particular isn't working.

The fields are correct, word for word. it does actually run, it just doesn't return any values for the Owner field. If the field didn't exist I should get an error that it can't match the fields.

0 Karma

SplunkTrust
SplunkTrust

And you validated that the DNS from your search results are available in the lookup file?

Run this and see if this returns anything.

index=main sourcetype=ServerList dns=* | dedup dns | table dns | eval From="search"| append [| inputlookup  ServerList.csv | table dns Owner | eval From="lookup" ] | stats values(*) as * by dns
0 Karma

New Member

Yes I validated the values from the DNS exist in the lookup file.

I ran the each you suggested, I get the DNS from the search, I also get the DNS from the lookupfile with the respective Owners against them.

I guess this confirms the lookup file works and the search criteria works as well. So what do I do to make it work out now?

0 Karma