Splunk Search

Display Input Lookup Data

harsush
Path Finder

Hi Team,

How to display lookup fields along with search fields.

search Query
index=AA* host=ABC source=/tmp/processMonitor* instance=XYZ apphome =*** | lookup boxdata host | search box_live_state="LIVE" | stats latest(state) as Status by host, apphome, instance, appmon | table host apphome instance appmon box_live_state

Iam not getting anything under box_live_state, Is thr any way to display ??

boxdata
box_env box_live_state box_location box_model box_os box_patch box_rack box_rfb box_ver host
QA NOTLIVE ABC-DE HPXYZQ RHAS 1234 324 lxmcp 6.9 hostny01

Expecting output
host apphome instance appmon Status box_live_state
ABC /xy/abc abc 1 down Live

Thanks
Harsha

0 Karma

niketn
Legend

@harsush, please reverse the lookup pipe which should be after stats command. In your current query the stats command is removing enriched field/s from lookup including box_live_state.

index=AA* host=ABC source=/tmp/processMonitor* instance=XYZ apphome =*** 
| stats latest(state) as Status by host, apphome, instance, appmon 
| lookup boxdata host 
| search box_live_state="LIVE"
| table host apphome instance appmon box_live_state

Also as per performance consideration, lookup should be performed after transforming commands ensuring records are reduced prior to correlating with the lookup file: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup#Optimizing_your_lookup_se...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn
Legend

@harsush, please confirm whether your issue is resolved.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...