Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I compare lookup field to search and print another field in lookup file?

cyrus_thesplunk
Engager
‎04-04-2023 09:33 AM

Currently in my logs I am getting the hostname of the users but not their usernames. I created a lookup table that contains hostnames and usernames. I am trying to match the hostname from search to the hostname in the lookup file and then print their correlated username in a table format in the search visualization. 

Lookup file:

hostnameusername
host1user1
host2user2
host3user3
host4user4

 

search:
index=windows sourcetype:eventlogs 
[|inputlookup users.csv | fields hostname username | rename hostname as users]
~~~print username correlated to "users" in the above string.~~~

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-05-2023 05:24 PM

index="windows" AND sourcetype="eventlogs"
| lookup users.csv hostname AS host OUTPUT username AS users
| table _time Time Hostname Username Src IP

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-05-2023 05:24 PM

index="windows" AND sourcetype="eventlogs"
| lookup users.csv hostname AS host OUTPUT username AS users
| table _time Time Hostname Username Src IP

0 Karma
Reply
Solved! Jump to solution

cyrus_thesplunk
Engager
‎04-06-2023 06:17 AM

Thank you! This worked perfectly

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-04-2023 11:39 AM

You would need to use "lookup" command to enrich your data from lookup table fields, like this

index=windows sourcetype:eventlogs 
| lookup users.csv hostname as host OUTPUT username as users
0 Karma
Reply
Solved! Jump to solution

cyrus_thesplunk
Engager
‎04-05-2023 04:03 AM

Got it. I understand this part but where are you comparing the hostname in the search to hostname in the lookup file and then printing the username correlated to that hostname in the table.

This is what the search visualization results should look like.

TimeHostnameUsernameSrc IP
5:01 amhost1user1192.xxx.xxx.xxx
5:07 amhost2user2192.xxx.xxx.xxx
5:09 amhost3user3192.xxx.xxx.xxx


Username information is the only thing thats coming from the lookup file. Rest of it comes from the search. 

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...