Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Looking to improve a query with a lookup file

bond77s
Explorer
‎11-13-2024 02:26 PM

I have a lookup file that contains a column for hostname, ip address and location.  I need a query that will check the lookup file and determine if the element is up or down and if it has or used "radius".

|inputlookup filename | search (MESSAGE_TEXT="Radius")
Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-14-2024 12:15 AM

Hi @bond77s ,

not having your search (as also @isoutamo said) it's difficoult to help you, at least, please better describe your requirements.

anyway supponing that you have a search and you want to check if the hostname from the search is listed in the lookup and that MESSAGE_TEXT is a field in your main search and yu want only the events with this condition, you could try something like this:

index=your_index MESSAGE_TEXT="Radius" [ |inputlookup filename | rename hostname AS host | fields host ]
| ...

Then, if in your main search you have also a field called ip and you want to check both host and ip, you could try something like this:

index=your_index MESSAGE_TEXT="Radius" ([ |inputlookup filename | rename hostname AS host | fields host ] OR [ |inputlookup filename | fields ip ]

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-13-2024 11:08 PM
Can you add your whole SPL query here, as @ITWhisperer said, your example didn't contains any fields which have value Radius.
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-13-2024 02:36 PM

If your lookup only contains hostname, ip address and location, how will you find any events where MESSAGE_TEXT="Radius"?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...