Morning Community,
Looking at a way to pull multiple columns into an alert Im attempting to build. In the below syntax this gives me hits on the a src IP that appears in the lookupfile which is great however I also want to pull in extra columns associated with the hit on that IP.
The lookup file contains columns labelled "tag" "info" and "comment" which would further enhance the usefulness of this alert.
index=netscaler sourcetype="citrix:netscaler:syslog" citrix_netscaler_event_name=LOGIN action=success app=SSLVPN | search [| inputlookup my.csv | rename value as src | fields src ]
I've tried this and returns no results.
index=netscaler sourcetype="citrix:netscaler:syslog" citrix_netscaler_event_name=LOGIN action=success app=SSLVPN
| search [| inputlookup my.csv | rename value as src | fields src ]
| lookup my.csv info as src.info output info as src.info
Any thoughts at all? This article was a little similar to what Im trying to do, except I need the extra columns data from the src IP hits from the 1st part of the alert. https://community.splunk.com/t5/Splunk-Search/Pulling-multiple-Columns-from-an-inputlookup/m-p/42474...
Below may help..
index=netscaler sourcetype="citrix:netscaler:syslog" citrix_netscaler_event_name=LOGIN action=success app=SSLVPN | lookup my.csv value as src outputnew info as src.info
index=netscaler sourcetype="citrix:netscaler:syslog" citrix_netscaler_event_name=LOGIN action=success app=SSLVPN [| inputlookup my.csv | rename value as src | fields src | format ]
| lookup my.csv info as src.info output info as src.info
But you don't have the src field, do you?
Below may help..
index=netscaler sourcetype="citrix:netscaler:syslog" citrix_netscaler_event_name=LOGIN action=success app=SSLVPN | lookup my.csv value as src outputnew info as src.info
Thanks this worked great!