Splunk Search

How do you map value from inputlookup to another search

johanhakim
Explorer

Hi,

I have 2 separate queries as below:

Query1: (normal splunk search e.g. index=* host=abcde | table Message1,Message2,Status ....)

Message1, Message2, Status

aaaa,bbbb,0x000006d

Query2: (using inputlookup blabla.csv | table Status,Action)

Status,Action

0x00006d,Failure

How do i map both queries above and produce output as below:

Output:

Message1,Message2,Status,Action

aaaa,bbbb,0x00006d,Failure

Basically the Status from Query1 needs to be mapped with Query2 and output the corresponding action.

Appreciate the help!

 

 

Labels (1)
0 Karma
1 Solution

rnowitzki
Builder

Hi @johanhakim,

After Query 1 you could use:

| lookup blabla.csv Status OUTPUT Action


One of multiple approaches.

Hope it helps.
Ralph

--
Karma and/or Solution tagging appreciated.

View solution in original post

0 Karma

rnowitzki
Builder

Hi @johanhakim,

After Query 1 you could use:

| lookup blabla.csv Status OUTPUT Action


One of multiple approaches.

Hope it helps.
Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma

johanhakim
Explorer

Only Status column has value. No value under the action column. Seems like it is not mapping. Any other way?

0 Karma

rnowitzki
Builder

What are the actual column names in the lookup table? Is it "Status" and "Action" (Starting with capital letter)?
Also the fields from Query 1?

--
Karma and/or Solution tagging appreciated.
0 Karma

johanhakim
Explorer

In the lookup table the headers are:

EventCode,action,Error_Code,Description

1111,failure,0x00006d,bad username

For query1 it is as below:

Message1,Message2, Status

The "status" field from query1 is produced from a rex command.

0 Karma

rnowitzki
Builder

So, there is no "Status" field in the Lookup, that's why it didn't map.

I assume the field "Error_Code" is what you want to map with the "Status" from Query 1.

| lookup blabla.csv Status as "Error_Code" OUTPUT Action



--
Karma and/or Solution tagging appreciated.
0 Karma

johanhakim
Explorer

Not to worry, i found the solution!

The Error_Code (i have renamed this to Status) in Query 2 was in uppercase whereas the Status in Query 1 was in lowercase. After matching them to either upper/lower case, i  managed to get the desired output based on your lookup recommendation.

Thanks anyways! 😃

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...