Solved: How to search a lookup table and return the matchi... - Page 2

clv1clv1 · ‎10-28-2016

All-

I am new to Splunk and trying to figure out how to return a matched term from a CSV table with inputlookup. I just researched and found that inputlookup returns a Boolean response, making it impossible to return the matched term.

With that being said, is the any way to search a lookup table and return a matching term? I would imagine eval would do the trick, but I have not been successful in making it work.

I have tried the below:

index=proxysg sourcetype=proxysg_base [|inputlookup aterms.csv | return 10000 $aterms] | eval matchedterm=if( [|inputlookup aterms.csv | return 10000 $aterms], $aterms)

Thanks for the help!

gokadroid · ‎10-28-2016

Lets say your Lookup table is "inputLookup.csv" and it is as follows:

Field1,Field2
AA,11
AB,22
AC,33
BA,21
BB,22
BC,23

You can match terms from input lookup on any of the above fields Field1 or Field2 as follows (I am matching on Field1 and displaying Field2):

|inputlookup inputLookup.csv | search Field1=A* | fields Field2

If you now want to use all the Field2 values which returned based on your match Field1=A* as subsearch then try:

yourBaseSearch [ |inputlookup inputLookup.csv | search Field1=A* | fields Field2 ]

Updating as per the comment conversation:

index=proxysg sourcetype=proxysg_base [|inputlookup aterms.csv | return 10000 $aterms]
 | rename _raw as rawText
 | eval foo=[|inputlookup aterms.csv |stats values(aterms) as query | eval query=mvjoin(query,",") | fields query | format "" "" "" "" "" ""]
 | eval foo=split(foo,",") 
 | mvexpand foo 
  | eval foo=lower(foo)     
  | eval rawText=lower(rawText)
 | where like(rawText,"%"+foo+"%")
 | table rawText, foo

View solution in original post

How to search a lookup table and return the matching term?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor