Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to list matches of a search using lookup values

dugalle
New Member
‎01-17-2020 01:02 AM

Hi!

I have create a search that uses a dynamic lookup to find events in some index looking at the raw:

...................
Lookup.csv
...................
id value
.. ..........
1 one
2 two
3 three

....................................
sample-index Events
....................................
2020-01-17 11:42:37 Sample event one
2020-01-17 11:42:33 Sample event five
2020-01-17 11:42:31 Sample event two

Query:

index=sample-index
[
| inputlookup Lookup.csv
| table value
| rename value as search | format
]
| table _time , _raw

It works fine and returns the Event 1 and 3 but I want to list the values of the lookup that has matched the events (in this case it should return "one" and "two"). I think that it should be done counting the matches of all the values of the lookup in the results but I don't know how to do it. The csv is generated every day so I can't put the values on the query.

Do you have any idea how to do it?

Thanks!

Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎01-17-2020 02:33 AM

UPDATED:
e.g.

| makeresults 
| eval _raw="time,raw
2020-01-17 11:42:37,Sample event one
2020-01-17 11:42:33,Sample event five
2020-01-17 11:42:31,Sample event two" 
| multikv forceheader=1 
| rename raw as _raw 
| rename time as _time 
| table _time _raw 
    `comment("this is sample your provide")` 
| appendpipe
    [| makeresults 
    | eval _raw="id value
1 one
2 two
3 three" 
    | multikv forceheader=1 
    | table id value
        `comment("this is sample as | inputlookup Lookup.csv")`
    | table value ]
| eventstats values(*) as *
| stats values(_raw) as raw by value
| where match(raw,value)
| table value

Recommend:

index=sample-index
| table _raw
| appendpipe [|inputlookup Lookup.csv
| table value]
| eventstats values(*) as *
| stats values(_raw) as raw by value
| where match(raw,value)
| table value

How about this?

0 Karma
Reply

dugalle
New Member
‎01-17-2020 03:29 AM

Hi! the field check appears always as "Null" 😞

Regarding to the table, that info is a sample of the "sample-index" events.

Thanks!

0 Karma
Reply

TISKAR
Builder
‎01-17-2020 01:20 AM

Hi @dugalle:

Can you try by lookup command like this:

index=sample-index
| lookup Lookup.csv value as search OUTPUTNEW value 
| where !isnull(value)
| table _time , _raw
0 Karma
Reply

dugalle
New Member
‎01-17-2020 03:08 AM

Hi, i have tried it and doesn't work 😞

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...