Splunk Search

How to display matched and non matched content from lookup

shashank_24
Path Finder

Hi,

I have a lookup which contains one column (name - vanity_url) and around 800 rows. Something like this -

vanity_url
/checkout
/your-details
/billing

 

My Splunk logs has the event related to these rows in a field called requested_content. Some of them are present in the logs and some are not. I want to print the matched and non matched values from the lookup in a table. Something like this -

requested_contentpresent
/checkoutyes
/your-detailsyes
/billingyes
/direct-debitno

 

I have tried something like this but it doesn't seem to be working.

 

 

index=myapp_pp sourcetype=access_combined GET host="my-server-*"
| eval type="MainIndex" 
| fields requested_content type
| appendpipe  
    [| inputlookup vanity.csv  
    | eval type="lookup" 
    | rename vanity_url as requested_content 
    | fields type requested_content ] 
| stats dc(type) as pot, values(*) AS * by requested_content
| where pot=1 and type="lookup"

 

 

@to4kawa 

Labels (2)
Tags (3)
0 Karma
1 Solution

to4kawa
Ultra Champion
index=myapp_pp sourcetype=access_combined GET host="my-server-*"
| lookup vanity.csv vanity_url as requested_content OUTPUT vanity_url as name
| stats count by requested_content name
| eval present=if(isnull(name),"no","yes")

I see your csv is one column. how about this?

View solution in original post

0 Karma

to4kawa
Ultra Champion
index=myapp_pp sourcetype=access_combined GET host="my-server-*"
| lookup vanity.csv vanity_url as requested_content OUTPUT name
| stats count by requested_content name
| eval present=if(isnull(name),"no","yes")

Hi @shashank_24 

0 Karma

shashank_24
Path Finder

@to4kawa I have tried it but it's not working. Are you saying that I should create a new lookup file with 2 columns vanity_url and name? What will the name column contain?

I already have the lookup created with one column as vanity_url which contains the values same as field requested_content in my search.

I am getting this error Error in 'lookup' command: Could not find all of the specified destination fields in the lookup table.

Can you advice.

0 Karma

to4kawa
Ultra Champion
index=myapp_pp sourcetype=access_combined GET host="my-server-*"
| lookup vanity.csv vanity_url as requested_content OUTPUT vanity_url as name
| stats count by requested_content name
| eval present=if(isnull(name),"no","yes")

I see your csv is one column. how about this?

0 Karma

shashank_24
Path Finder

@to4kawa yes it worked. I should have tried it. Thanks mate for the help. 🙂

0 Karma

javiergn
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...