Splunk Search

Could someone help me with inputlookup within a search?

desperate
Engager

Hi all,

I am quite new to Splunk and now trying to create a dashboard panel using a query that does the following:

  • pulls the required fields from an index based on textfield input
  • checks on one specific field "opsID" from the index against a field "code" in a csv i uploaded
  • if it is present in the csv, I just want to return a simple output that I could use to display in a table form

The csv looks something like this:

code, notes
123, User
456, Admin
789, User

 

Example of my query:

index=userdatabase "abc12345"
| eval abc=[|inputlookup Lookup.csv | where code=opsID| fields notes]
| eval isPresent=if(abc!="", YES, NO)
| table username, isPresent

 

However I am getting errors like Error in 'eval' command: The expression is malformed. An unexpected character is reached at ')'. I tried for a few days can't seem to figure it out my mistake, hence hoping for some help over my basic question.. I got a feeling my logic could be wrong to begin with

Labels (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @desperate,

You can try below;

index=userdatabase "abc12345"
| lookup Lookup.csv code as opsID OUTPUT notes
| eval isPresent=if(isnotnull(notes), "YES", "NO")
| table username, isPresent
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

desperate
Engager

Thank you Sir @scelikok and @gcusello .

Appreciate the help, both of you are correct. I did not think toward this direction, i was over complicating my own query.

It works now. Once again appreciate the quick response

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @desperate,

you should read the documentation about lookup command at https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Lookup and it could be a good idea to follow the Splunk Search Tutorial to better learn abou SPL http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial .

Anyway, to solve your problem, please try this:

index=userdatabase "abc12345"
| lookup Lookup.csv code AS opsID OUTPUT notes
| where notes=*
| table code notes

Ciao.

Giuseppe

 

scelikok
SplunkTrust
SplunkTrust

Hi @desperate,

You can try below;

index=userdatabase "abc12345"
| lookup Lookup.csv code as opsID OUTPUT notes
| eval isPresent=if(isnotnull(notes), "YES", "NO")
| table username, isPresent
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...