Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to include additional field from inputlookup in results?

luc_k
Engager
‎09-20-2017 12:38 AM

Hi,

I have a lookup table errors.csv ,which contains Error and Source columns.I have a query the returns log entries containing Error column values :

[|inputlookup errors.csv | rename Error AS query | fields query ]

How do I add the Source column to the results?

Thanks,

Luc

0 Karma
Reply

sbbadri
Motivator
‎09-20-2017 07:38 AM

try this,

[|inputlookup errors.csv where Source=* | rename Error AS query | fields query Source | table query Source]

Reply

DalJeanis
Legend
‎09-20-2017 01:36 PM

@sbbadri - The user didn't say so, but the brackets indicate that this is a subsearch, so this solution will not work. if Source got passed back at all, it would act as a limit on the main search, rather than giving extra information.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-20-2017 07:30 AM

Hi
as the previous adding lookup command, try something like this

your_search [ | inputlookup your_lookup.csv | rename Error AS quesry | fields query ]
| rename _raw as rawText
| eval foo=[
    | inputlookup your_lookup.csv 
    | eval query="%"+Error+"%" 
    | stats values(query) AS query 
    | eval query=mvjoin(query,",") 
    | fields query 
    | format "" "" "" "" "" ""
    ]
| eval foo=split(foo,",") 
| mvexpand foo 
| where like(rawText,foo)
| rex field=foo "\%(?<Error>[^\%]*)\%"
| lookup errors.csv Error OUTPUT Source
| ...

Bye.
Giuseppe

Reply

DalJeanis
Legend
‎09-20-2017 01:48 PM

@cusello - Not precisely the way I would do it, but it should work for moderate numbers of events and moderate numbers of records in the lookup. For larger numbers of records, I'd replace the mvexpand with a rex that pulls out those error values directly, rather than multiplying the number of records.

Something like this...

 your_search
    [ | inputlookup your_lookup.csv 
    | rename Error AS query 
    | fields query ]
| rex field=_raw [ | inputlookup your_lookup.csv 
    | table Error 
    | sort 0 - Error 
    | rex mode=sed field=Error "s/ /!!!!/g" 
    | format "(?i)(<Error>" "" "" "" "|" ")" 
    | rex mode=sed field=search "s/[ \"]//g s/^\(/\"(/g s/\)$/)\"/g s/!!!!/ /g"]
 | lookup your_lookup.csv Error OUTPUT Source

Note that this is air code. I would test that rex-build subsearch with this first, to make sure the regular expression was well formed. 

 | inputlookup your_lookup.csv 
    | table Error 
    | sort 0 - Error 
    | rex mode=sed field=Error "s/ /!!!!/g" 
    | format "(?i)(<Error>" "" "" "" "|" ")" 
    | rex mode=sed field=search "s/[ \"]//g s/^\(/\"(/g s/\)$/)\"/g s/!!!!/ /g"
Reply

luc_k
Engager
‎09-24-2017 02:52 AM

Thanks a lot for your replies!

I receive this error:

Error in 'rex' command: The regex '(?i)(Error=not starting because the task should|Error=Error getting data)' does not extract anything. It should specify at least one named group. Format: (?...).

0 Karma
Reply

HiroshiSatoh
Champion
‎09-20-2017 07:27 AM

Try this!

|inputlookup errors.csv
|map search="search (your search) \"$Error$\"|eval Error=\"$Error$\", Source=\"$Source$\""

Reply

DalJeanis
Legend
‎09-20-2017 01:50 PM

@HiroshiSatoh - This will work, but I'd only do it for very small numbers of error messages (no more than 10, or at most 20). map is very expensive for what you get.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...