Re: How to convert CSV lookup to DBXlookup?

LearningGuy · ‎06-25-2024

How to convert CSV lookup to DBXlookup?
The lookup using CSV worked just fine.
The CSV was moved to the database and when I converted lookup to DBXLookup, it didn't work.

Please suggest. Thanks

The following is only an example of a concept what I am trying to do, but it's not a real data.
I don't know how to simulate index vs dbxquery on a test data.

index=vuln_index

| lookup host_ip.csv ip_address as ip OUTPUTNEW ip_address, hostname, os_type

| dbxlookup connection="test" query="select * from host_ip" ip_address as ip OUTPUTNEW ip_address, hostname, os_type

Data CSV => DBX

ip_address	hostname	ostype
192.168.1.1	host1	ostype1
192.168.1.2	host2	ostype2
192.168.1.3	host3	ostype3
192.168.1.4	host4	ostype4

index=vuln_index

ip	vuln
192.168.1.1	vulnA
192.168.1.1	vulnB
192.168.1.2	vulnC
192.168.1.2	vulnD

Expected result

ip_address	hostname	ostype	vuln
192.168.1.1	host1	ostype1	vulnA
192.168.1.1	host1	ostype1	vulnB
192.168.1.2	host2	ostype2	vulnC
192.168.1.2	host2	ostype2	vulnD

KendallW · ‎06-30-2024

Hi @LearningGuy , does the query return any results when you run it on the DB directly?

select * from host_ip

Also noticed you have "os_type" in your query vs "ostype" in your lookup. Could be the issue 🙂

How to convert CSV lookup to DBXlookup?

lookup

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation