Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to populate select fields in a lookup table?

kmattern
Builder
‎12-06-2016 10:04 AM

I have a lookup table that contains a list of about 50 computers. The columns are ComputerName, SoftwareVersion, cs_username.

Currently only ten of the computers are online. The balance will be coming online in the coming weeks. I want to build a scheduled saved search that will read the contents of the lookup table and compare the cs_username to the matching IIS field. If the fields match then update the SoftwareVersion number with a value found in the cs_user_agent field, otherwise set the value to "UNK". As time passes all of the records will have the correct SoftwareVersion. This search returns only the matching cs_username records from IIS logs but not the non-matching cs_username records from the lookup table. ComputerInfo is an extracted field from the User Agent field. What am I missing?

index=iis sourcetype=iis Location | dedup cs_username
| lookup CustomerBoxes.csv cs_username OUTPUT ComputerName, SoftwareVersion, cs_username
| makemv delim="/" ComputerInfo
| eval Version=mvindex(ComputerInfo,1)
| table ComputerName, SoftwareVersion, cs_username
| outputlookup CustomerBoxes.csv
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎12-06-2016 10:15 AM

start with the lookup and inputlookup command, kinda like this maybe... you have some fields in there and commands that i dont know where to put:

| inputlookup CustomerBoxes.csv 
| join type=outer cs_username [search index=iis sourcetype=iis Location | dedup cs_username  ]
| table ComputerName, SoftwareVersion, cs_username
| outputlookup CustomerBoxes.csv

??? something like that. The lookup you're doing will only return matches. Instead if you start with the lookup, and join/append/etc the iis data to it, you will keep the original data from the lookup.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎12-06-2016 10:15 AM

start with the lookup and inputlookup command, kinda like this maybe... you have some fields in there and commands that i dont know where to put:

| inputlookup CustomerBoxes.csv 
| join type=outer cs_username [search index=iis sourcetype=iis Location | dedup cs_username  ]
| table ComputerName, SoftwareVersion, cs_username
| outputlookup CustomerBoxes.csv

??? something like that. The lookup you're doing will only return matches. Instead if you start with the lookup, and join/append/etc the iis data to it, you will keep the original data from the lookup.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎12-06-2016 01:10 PM

If this worked can you please accept as the answer?

0 Karma
Reply
Solved! Jump to solution

kmattern
Builder
‎12-06-2016 11:13 AM

Perfect!

Thanks

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎12-06-2016 11:04 AM

Add type=outer to the join command...

  join type=outer cs_username [...]
0 Karma
Reply
Solved! Jump to solution

kmattern
Builder
‎12-06-2016 11:00 AM

Our suggested search returns exactly the same set of 10 computers. I tried ideas like that already. Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...