Splunk Search

How do you search an inputlookup for the results of your query?

DdanielbriemB
New Member

I'm a little stumped with what I am trying to achieve with the lookup of values from a CSV, which are based on the search results I get when performing a search.

CSV is defined as an inputlookup and contains field1,field2

When I search, I will have a value returned that is in the format of field1 in the CSV. And, I would like to display the corresponding field2 in my search results. For example: username,displayname.

I've looked at the inputlookup and lookup documentation, but am unsure on how to pass results or filter a subqueries results for the value.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Searching a lookup file named foo.csv that contains "field1" and "field2" is simply ... | lookup foo.csv field1 OUTPUT field2.
This means you will need a field called "field1" before calling lookup. The SPL for that is index=myindex field1="*" | lookup foo.csv field1 OUTPUT field2.
What if your events don't have a field called "field1"? The lookup command allows for that as in this example

index=myindex username="*" | lookup foo.csv field1 as username OUTPUT field2 as displayname | table username displayname
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...