Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Compare field with column of lookup table

giorgioanastasi
Explorer
‎11-28-2021 12:45 PM

Hi all, I have this need, compare a field with a series of error codes. I would not like to write in the search, any error codes, but I would like to use a lookup table. I then entered the error codes in a column (Name = Errors) of the table, but when i  perform the search, they are not compared correctly.

In the column, for example, is present: login.error.1004

In the search: tag = Log | lookup ServiziApp.csv ServiceName AS Service | search Functionality = "Access" errorCode! = Errors

But the lines despite having a field = login.error.1004, are displayed. Checking the extracted fields, the errorCode field contains login.error.1004 and the Errors field also contains login.error.1004.

Thanks in advance

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-29-2021 02:17 AM

OK, there's the issue - the lookup will not perform a wildcard match for the event error code against any value in the column from the lookup. You can make the lookup support wildcards, but what you actually want here is multiple values, so I suggest that you make a new row in the lookup for each error code you want 

In that case, the in() logic will work when you do the lookup, as all the errorcodes from the lookup file matching the service you are looking for, will be returned as a multi-value field and then the in() can find it.

 

View solution in original post

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎11-28-2021 01:26 PM

Firstly, the search command does not compare field against field, so the 

errorCode! = Errors

is actually looking for the text Errors in the errorCode field.

replace the search with

| where Functionality="Access" AND !match(errorCode, Errors)

however,  do you have the same ServiceName more than once in the lookup file. If so, then you will have Errors as a multi value field, and you would have to use something like 

| where !in(errorCode, Errors)

for that case.

 

Reply
Solved! Jump to solution

giorgioanastasi
Explorer
‎11-29-2021 02:12 AM

Hi Bowesmana and thanks for the response.

match work correctly with one error code, if i add other error codes in the lookup table, !IN(errorCode, Errors) does not work, i.e. the search does not filter these cases.

This is the contents of the lookup column:

login.error.E99999 login.error.10002

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-29-2021 02:17 AM

OK, there's the issue - the lookup will not perform a wildcard match for the event error code against any value in the column from the lookup. You can make the lookup support wildcards, but what you actually want here is multiple values, so I suggest that you make a new row in the lookup for each error code you want 

In that case, the in() logic will work when you do the lookup, as all the errorcodes from the lookup file matching the service you are looking for, will be returned as a multi-value field and then the in() can find it.

 

Reply
Solved! Jump to solution

giorgioanastasi
Explorer
‎11-29-2021 10:07 PM

Thanks again, adding the error codes on multiple lines works

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...