Splunk Search

How to rename fields in a subsearch and keep results of the original field name?

Glasses
Builder

I have a subsearch query that uses a wildcard keyword list as an inputlookup to find filenames that contain a keyword.

I then rename the resulting filenames as keyword to do a reverse lookup to output the keyword that matched the filename.

The problem is I want to list out the filename and the keyword that matched in the filename...

For example>>>

index=foo sourcetype=bar
[|inputlookup keyword-list.csv |fields keyword |rename keyword as FileName] 
| rename FileName as keyword 
| lookup keyword-list.csv keyword OUTPUT keyword as Matched 
| stats values(Matched)

From this query my results are the keywords:
(for example)

*jedi*
*sith*
*falcon*

Here are the FileName results containing the keyword

 index=foo sourcetype=bar
    [|inputlookup keyword-list.csv |fields keyword |rename keyword as FileName] 
    | stats values(FileName)

"D:/Rey Skywalker/jedi/report.pdf"
"D:/Kilo Ren/sith/report.pdf"
"E:/starship/falcon/rebel/report.pdg"

I was requested to list both together in the results... like this

*jedi*    "D:/Rey Skywalker/jedi/report.pdf"        
*sith*    "D:/Kilo Ren/sith/report.pdf"
*falcon*  "E:/starship/falcon/rebel/report.pdg"

Any advice greatly appreciated, thank you!

0 Karma
1 Solution

to4kawa
Ultra Champion
 index=foo sourcetype=bar
 [|inputlookup keyword-list.csv |fields keyword |rename keyword as FileName] 
 | eval keyword = FileName
 | lookup keyword-list.csv keyword OUTPUT keyword as Matched 
 | stats values(Matched) by FileName

I think it ’s okay if you don’t rename

View solution in original post

0 Karma

to4kawa
Ultra Champion
 index=foo sourcetype=bar
 [|inputlookup keyword-list.csv |fields keyword |rename keyword as FileName] 
 | eval keyword = FileName
 | lookup keyword-list.csv keyword OUTPUT keyword as Matched 
 | stats values(Matched) by FileName

I think it ’s okay if you don’t rename

0 Karma

Glasses
Builder

Thank you!!!

I tried something similar but jacked it up... went the wrong way, thanks for your help.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...