How to compare search results with lookup?

bosseres · ‎04-13-2022

Hello, everyone!

During search I got table like this

time	host	user	action	result
12:24:06	host1	Alex	action1	success
12:48:32	host2	Michael	action2	fail

I have lookup users.csv, which looks like this

host	user
host1	Alex
host2	George

I want to compare my table with lookup and if host and user matches, return my table (time, host, user, action, result), thus on this example I want to get in results table:

time	host	user	action	result
12:24:06	host1	Alex	action1	success

(because in second line user not matches). Thank you in advance.

gcusello · ‎04-13-2022

Hi @bosseres,

if you could share your search I could be more detailed, anyway, the inputlookup command in a subsearch is the solution for your need.

please try something like this (adapting to your search:

index=your_index [ | inputlookup users.csv | fields host user ]
| table time host user action result

I supposed that the columns of the lookup are host and user.

Ciao.

Giuseppe

bosseres · ‎04-14-2022

solved problem, topic can be closed

gcusello · ‎04-14-2022

Hi @bosseres,

if you solved the problem, you can accept the solution for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

bosseres · ‎04-14-2022

found out the reason why it's not working

it's because there is no original field "user" in logs, I get user with rex command

so it works with | inputlookup ... | fields host, but not working with | inputlookup ... | fields host user

bosseres · ‎04-14-2022

I've tried it, but not works, I need to filter after I got result in table

How to compare search results with lookup?

lookup

Enterprise Security Content Update (ESCU) | New Releases

There's No Place Like Chrome and the Splunk Platform

The Great Resilience Quest: 5th Leaderboard Update