Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to rename fields in a subsearch and keep results of the original field name?

Glasses
Builder
‎05-19-2020 07:54 AM

I have a subsearch query that uses a wildcard keyword list as an inputlookup to find filenames that contain a keyword.

I then rename the resulting filenames as keyword to do a reverse lookup to output the keyword that matched the filename.

The problem is I want to list out the filename and the keyword that matched in the filename...

For example>>>

index=foo sourcetype=bar
[|inputlookup keyword-list.csv |fields keyword |rename keyword as FileName] 
| rename FileName as keyword 
| lookup keyword-list.csv keyword OUTPUT keyword as Matched 
| stats values(Matched)

From this query my results are the keywords:
(for example)

*jedi*
*sith*
*falcon*

Here are the FileName results containing the keyword

 index=foo sourcetype=bar
    [|inputlookup keyword-list.csv |fields keyword |rename keyword as FileName] 
    | stats values(FileName)

"D:/Rey Skywalker/jedi/report.pdf"
"D:/Kilo Ren/sith/report.pdf"
"E:/starship/falcon/rebel/report.pdg"

I was requested to list both together in the results... like this

*jedi*    "D:/Rey Skywalker/jedi/report.pdf"        
*sith*    "D:/Kilo Ren/sith/report.pdf"
*falcon*  "E:/starship/falcon/rebel/report.pdg"

Any advice greatly appreciated, thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎05-19-2020 08:16 AM 
 index=foo sourcetype=bar
 [|inputlookup keyword-list.csv |fields keyword |rename keyword as FileName] 
 | eval keyword = FileName
 | lookup keyword-list.csv keyword OUTPUT keyword as Matched 
 | stats values(Matched) by FileName

I think it ’s okay if you don’t rename

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎05-19-2020 08:16 AM 
 index=foo sourcetype=bar
 [|inputlookup keyword-list.csv |fields keyword |rename keyword as FileName] 
 | eval keyword = FileName
 | lookup keyword-list.csv keyword OUTPUT keyword as Matched 
 | stats values(Matched) by FileName

I think it ’s okay if you don’t rename

0 Karma
Reply
Solved! Jump to solution

Glasses
Builder
‎05-19-2020 08:30 AM

Thank you!!!

I tried something similar but jacked it up... went the wrong way, thanks for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...