Splunk Search

How to create a search that check each value from inputlookup table in a seach and return the results

Suagni
Observer

Hey Guys, 

I am trying to write a SPL in splunk where I have a lookup file with 10 values and I want to search each value against a search and return results if found

 

Eg: LookupFile : Column name is States and the values are as below:

Alaska
Arizona
Arkansas
California
Colorado

Now I want to search each of the states one after the other in a search and display the results with the column (States, IP, Country, user, workstation) .

Pls help.

 

Thank you 

 

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Suagni,

you have to use a subsearch, putting attention to the field names that must be the same in main and sub search, in other words that the States field is present in both the searches and it's written exactly in the same way (it's case sensitive),

something like this:

index=your_index [ | inputlookup your_lookup.csv | fields States ]
| table States IP Country user workstation

This is possible if all the fieds to display are in the main search and you have to check only if States values are also in the lookup.

If instead some fields arrive from the lookup, you have to add an additional command: so if e.g. Country field arrives only from the lookup, you have to write:

index=your_index [ | inputlookup your_lookup.csv | fields States ]
| lookup your_lookup.csv States OUTPUT Country
| table States IP Country user workstation

Ciao.

 Giuseppe

0 Karma
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...