Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to list matches of a search using lookup values

dugalle
New Member
‎01-17-2020 01:02 AM

Hi!

I have create a search that uses a dynamic lookup to find events in some index looking at the raw:

...................
Lookup.csv
...................
id value
.. ..........
1 one
2 two
3 three

....................................
sample-index Events
....................................
2020-01-17 11:42:37 Sample event one
2020-01-17 11:42:33 Sample event five
2020-01-17 11:42:31 Sample event two

Query:

index=sample-index
[
| inputlookup Lookup.csv
| table value
| rename value as search | format
]
| table _time , _raw

It works fine and returns the Event 1 and 3 but I want to list the values of the lookup that has matched the events (in this case it should return "one" and "two"). I think that it should be done counting the matches of all the values of the lookup in the results but I don't know how to do it. The csv is generated every day so I can't put the values on the query.

Do you have any idea how to do it?

Thanks!

Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎01-17-2020 02:33 AM

UPDATED:
e.g.

| makeresults 
| eval _raw="time,raw
2020-01-17 11:42:37,Sample event one
2020-01-17 11:42:33,Sample event five
2020-01-17 11:42:31,Sample event two" 
| multikv forceheader=1 
| rename raw as _raw 
| rename time as _time 
| table _time _raw 
    `comment("this is sample your provide")` 
| appendpipe
    [| makeresults 
    | eval _raw="id value
1 one
2 two
3 three" 
    | multikv forceheader=1 
    | table id value
        `comment("this is sample as | inputlookup Lookup.csv")`
    | table value ]
| eventstats values(*) as *
| stats values(_raw) as raw by value
| where match(raw,value)
| table value

Recommend:

index=sample-index
| table _raw
| appendpipe [|inputlookup Lookup.csv
| table value]
| eventstats values(*) as *
| stats values(_raw) as raw by value
| where match(raw,value)
| table value

How about this?

0 Karma
Reply

dugalle
New Member
‎01-17-2020 03:29 AM

Hi! the field check appears always as "Null" 😞

Regarding to the table, that info is a sample of the "sample-index" events.

Thanks!

0 Karma
Reply

TISKAR
Builder
‎01-17-2020 01:20 AM

Hi @dugalle:

Can you try by lookup command like this:

index=sample-index
| lookup Lookup.csv value as search OUTPUTNEW value 
| where !isnull(value)
| table _time , _raw
0 Karma
Reply

dugalle
New Member
‎01-17-2020 03:08 AM

Hi, i have tried it and doesn't work 😞

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...