Splunk Search

How do you search an inputlookup for the results of your query?

New Member

I'm a little stumped with what I am trying to achieve with the lookup of values from a CSV, which are based on the search results I get when performing a search.

CSV is defined as an inputlookup and contains field1,field2

When I search, I will have a value returned that is in the format of field1 in the CSV. And, I would like to display the corresponding field2 in my search results. For example: username,displayname.

I've looked at the inputlookup and lookup documentation, but am unsure on how to pass results or filter a subqueries results for the value.

0 Karma

SplunkTrust
SplunkTrust

Searching a lookup file named foo.csv that contains "field1" and "field2" is simply ... | lookup foo.csv field1 OUTPUT field2.
This means you will need a field called "field1" before calling lookup. The SPL for that is index=myindex field1="*" | lookup foo.csv field1 OUTPUT field2.
What if your events don't have a field called "field1"? The lookup command allows for that as in this example

index=myindex username="*" | lookup foo.csv field1 as username OUTPUT field2 as displayname | table username displayname
---
If this reply helps you, an upvote would be appreciated.
0 Karma