- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to rename fields in a subsearch and keep resul...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a subsearch query that uses a wildcard keyword list as an inputlookup to find filenames that contain a keyword.
I then rename the resulting filenames as keyword to do a reverse lookup to output the keyword that matched the filename.
The problem is I want to list out the filename and the keyword that matched in the filename...
For example>>>
index=foo sourcetype=bar
[|inputlookup keyword-list.csv |fields keyword |rename keyword as FileName]
| rename FileName as keyword
| lookup keyword-list.csv keyword OUTPUT keyword as Matched
| stats values(Matched)
From this query my results are the keywords:
(for example)
*jedi*
*sith*
*falcon*
Here are the FileName results containing the keyword
index=foo sourcetype=bar
[|inputlookup keyword-list.csv |fields keyword |rename keyword as FileName]
| stats values(FileName)
"D:/Rey Skywalker/jedi/report.pdf"
"D:/Kilo Ren/sith/report.pdf"
"E:/starship/falcon/rebel/report.pdg"
I was requested to list both together in the results... like this
*jedi* "D:/Rey Skywalker/jedi/report.pdf"
*sith* "D:/Kilo Ren/sith/report.pdf"
*falcon* "E:/starship/falcon/rebel/report.pdg"
Any advice greatly appreciated, thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=foo sourcetype=bar
[|inputlookup keyword-list.csv |fields keyword |rename keyword as FileName]
| eval keyword = FileName
| lookup keyword-list.csv keyword OUTPUT keyword as Matched
| stats values(Matched) by FileName
I think it ’s okay if you don’t rename
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=foo sourcetype=bar
[|inputlookup keyword-list.csv |fields keyword |rename keyword as FileName]
| eval keyword = FileName
| lookup keyword-list.csv keyword OUTPUT keyword as Matched
| stats values(Matched) by FileName
I think it ’s okay if you don’t rename
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you!!!
I tried something similar but jacked it up... went the wrong way, thanks for your help.
Observability | How to Think About Instrumentation Overhead (White Paper)
Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)
The Great Resilience Quest: 10th Leaderboard Update
