- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search ColumnA in a lookup and output the c...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to search ColumnA in a lookup and output the corresponding values from ColumnB?
Hey all,
I created a lookup with two columns:
Username,IP
test1,192.168.0.1
test2,192.168.0.2
...
..
I'm trying to do a search for the first column "Username".
And if I have results, I want it to display the IP of the username in table.
I will be happy if you help me with this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
sourcetype=Serv [ inputlookup Complist | fields "Username" ] | lookup Complist Username OUTPUT IP | rename Username AS UserReq , Message.Request.MessageBody AS Messagebody | table Username Messagebody Time IP
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are just trying to search across that lookup table then the following should work:
| inputlookup yourlookupname
| search Username = whatever
| table IP
If you are trying to pipe a search through your lookup in order to apply some filtering, then it would be something like:
yoursearch
| lookup yourlookupname Username AS UsernameFieldInYourEvent OUTPUT IP AS IPNameInYourEvent
| table IPNameInYourEvent
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for help,
Still I cant getting this to work,
This is my full search:
sourcetype=Serv [ inputlookup Complist | fields "Username" ] | rename Username AS UserReq , Message.Request.MessageBody AS Messagebody | table Username Messagebody Time
The problem is that in the lookup "Complist" I have column "IP"
When I add "IP" to table nothing happened.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Couple of things, you are renaming Username but then your table is not including it. Also the time field is wrong.
sourcetype=Serv [ inputlookup Complist | fields "Username" ] | rename Username AS UserReq , Message.Request.MessageBody AS Messagebody | table UserReq Messagebody _time
Also, this:
sourcetype=Serv [ inputlookup Complist | fields "Username" ]
Is being translated as:
sourcetype=Serv (Username=Value1 OR Username=Value2 OR Username=Value3) ...
Alternatively, if what you are trying to do is to return the IP for those Usernames, then you can't do an inputlookup, you have to do an actual lookup:
sourcetype=Serv
|lookup Complist Username AS Username OUTPUT IP AS ipaddr
| rename Username AS UserReq , Message.Request.MessageBody AS Messagebody
| table _time, UserReq, Messagebody, ipaddr
Let me know if that works. If not, can you post an example of your lookup?
Keep in mind field names are case sensitive
Thanks,
J
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
