Splunk Search

How do you map value from inputlookup to another search

johanhakim
Explorer

Hi,

I have 2 separate queries as below:

Query1: (normal splunk search e.g. index=* host=abcde | table Message1,Message2,Status ....)

Message1, Message2, Status

aaaa,bbbb,0x000006d

Query2: (using inputlookup blabla.csv | table Status,Action)

Status,Action

0x00006d,Failure

How do i map both queries above and produce output as below:

Output:

Message1,Message2,Status,Action

aaaa,bbbb,0x00006d,Failure

Basically the Status from Query1 needs to be mapped with Query2 and output the corresponding action.

Appreciate the help!

 

 

Labels (1)
0 Karma
1 Solution

rnowitzki
Builder

Hi @johanhakim,

After Query 1 you could use:

| lookup blabla.csv Status OUTPUT Action


One of multiple approaches.

Hope it helps.
Ralph

--
Karma and/or Solution tagging appreciated.

View solution in original post

0 Karma

rnowitzki
Builder

Hi @johanhakim,

After Query 1 you could use:

| lookup blabla.csv Status OUTPUT Action


One of multiple approaches.

Hope it helps.
Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma

johanhakim
Explorer

Only Status column has value. No value under the action column. Seems like it is not mapping. Any other way?

0 Karma

rnowitzki
Builder

What are the actual column names in the lookup table? Is it "Status" and "Action" (Starting with capital letter)?
Also the fields from Query 1?

--
Karma and/or Solution tagging appreciated.
0 Karma

johanhakim
Explorer

In the lookup table the headers are:

EventCode,action,Error_Code,Description

1111,failure,0x00006d,bad username

For query1 it is as below:

Message1,Message2, Status

The "status" field from query1 is produced from a rex command.

0 Karma

rnowitzki
Builder

So, there is no "Status" field in the Lookup, that's why it didn't map.

I assume the field "Error_Code" is what you want to map with the "Status" from Query 1.

| lookup blabla.csv Status as "Error_Code" OUTPUT Action



--
Karma and/or Solution tagging appreciated.
0 Karma

johanhakim
Explorer

Not to worry, i found the solution!

The Error_Code (i have renamed this to Status) in Query 2 was in uppercase whereas the Status in Query 1 was in lowercase. After matching them to either upper/lower case, i  managed to get the desired output based on your lookup recommendation.

Thanks anyways! 😃

Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...