Hi,
I have 2 separate queries as below:
Query1: (normal splunk search e.g. index=* host=abcde | table Message1,Message2,Status ....)
Message1, Message2, Status
aaaa,bbbb,0x000006d
Query2: (using inputlookup blabla.csv | table Status,Action)
Status,Action
0x00006d,Failure
How do i map both queries above and produce output as below:
Output:
Message1,Message2,Status,Action
aaaa,bbbb,0x00006d,Failure
Basically the Status from Query1 needs to be mapped with Query2 and output the corresponding action.
Appreciate the help!
Hi @johanhakim,
After Query 1 you could use:
| lookup blabla.csv Status OUTPUT Action
One of multiple approaches.
Hope it helps.
Ralph
Hi @johanhakim,
After Query 1 you could use:
| lookup blabla.csv Status OUTPUT Action
One of multiple approaches.
Hope it helps.
Ralph
Only Status column has value. No value under the action column. Seems like it is not mapping. Any other way?
What are the actual column names in the lookup table? Is it "Status" and "Action" (Starting with capital letter)?
Also the fields from Query 1?
In the lookup table the headers are:
EventCode,action,Error_Code,Description
1111,failure,0x00006d,bad username
For query1 it is as below:
Message1,Message2, Status
The "status" field from query1 is produced from a rex command.
So, there is no "Status" field in the Lookup, that's why it didn't map.
I assume the field "Error_Code" is what you want to map with the "Status" from Query 1.
| lookup blabla.csv Status as "Error_Code" OUTPUT Action
Not to worry, i found the solution!
The Error_Code (i have renamed this to Status) in Query 2 was in uppercase whereas the Status in Query 1 was in lowercase. After matching them to either upper/lower case, i managed to get the desired output based on your lookup recommendation.
Thanks anyways! 😃