Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to include additional field from inputlookup in results?

luc_k
Engager
‎09-20-2017 12:38 AM

Hi,

I have a lookup table errors.csv ,which contains Error and Source columns.I have a query the returns log entries containing Error column values :

[|inputlookup errors.csv | rename Error AS query | fields query ]

How do I add the Source column to the results?

Thanks,

Luc

0 Karma
Reply

sbbadri
Motivator
‎09-20-2017 07:38 AM

try this,

[|inputlookup errors.csv where Source=* | rename Error AS query | fields query Source | table query Source]

Reply

DalJeanis
Legend
‎09-20-2017 01:36 PM

@sbbadri - The user didn't say so, but the brackets indicate that this is a subsearch, so this solution will not work. if Source got passed back at all, it would act as a limit on the main search, rather than giving extra information.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-20-2017 07:30 AM

Hi
as the previous adding lookup command, try something like this

your_search [ | inputlookup your_lookup.csv | rename Error AS quesry | fields query ]
| rename _raw as rawText
| eval foo=[
    | inputlookup your_lookup.csv 
    | eval query="%"+Error+"%" 
    | stats values(query) AS query 
    | eval query=mvjoin(query,",") 
    | fields query 
    | format "" "" "" "" "" ""
    ]
| eval foo=split(foo,",") 
| mvexpand foo 
| where like(rawText,foo)
| rex field=foo "\%(?<Error>[^\%]*)\%"
| lookup errors.csv Error OUTPUT Source
| ...

Bye.
Giuseppe

Reply

DalJeanis
Legend
‎09-20-2017 01:48 PM

@cusello - Not precisely the way I would do it, but it should work for moderate numbers of events and moderate numbers of records in the lookup. For larger numbers of records, I'd replace the mvexpand with a rex that pulls out those error values directly, rather than multiplying the number of records.

Something like this...

 your_search
    [ | inputlookup your_lookup.csv 
    | rename Error AS query 
    | fields query ]
| rex field=_raw [ | inputlookup your_lookup.csv 
    | table Error 
    | sort 0 - Error 
    | rex mode=sed field=Error "s/ /!!!!/g" 
    | format "(?i)(<Error>" "" "" "" "|" ")" 
    | rex mode=sed field=search "s/[ \"]//g s/^\(/\"(/g s/\)$/)\"/g s/!!!!/ /g"]
 | lookup your_lookup.csv Error OUTPUT Source

Note that this is air code. I would test that rex-build subsearch with this first, to make sure the regular expression was well formed. 

 | inputlookup your_lookup.csv 
    | table Error 
    | sort 0 - Error 
    | rex mode=sed field=Error "s/ /!!!!/g" 
    | format "(?i)(<Error>" "" "" "" "|" ")" 
    | rex mode=sed field=search "s/[ \"]//g s/^\(/\"(/g s/\)$/)\"/g s/!!!!/ /g"
Reply

luc_k
Engager
‎09-24-2017 02:52 AM

Thanks a lot for your replies!

I receive this error:

Error in 'rex' command: The regex '(?i)(Error=not starting because the task should|Error=Error getting data)' does not extract anything. It should specify at least one named group. Format: (?...).

0 Karma
Reply

HiroshiSatoh
Champion
‎09-20-2017 07:27 AM

Try this!

|inputlookup errors.csv
|map search="search (your search) \"$Error$\"|eval Error=\"$Error$\", Source=\"$Source$\""

Reply

DalJeanis
Legend
‎09-20-2017 01:50 PM

@HiroshiSatoh - This will work, but I'd only do it for very small numbers of error messages (no more than 10, or at most 20). map is very expensive for what you get.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...