Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Looking to improve a query with a lookup file

bond77s
Explorer
‎11-13-2024 02:26 PM

I have a lookup file that contains a column for hostname, ip address and location.  I need a query that will check the lookup file and determine if the element is up or down and if it has or used "radius".

|inputlookup filename | search (MESSAGE_TEXT="Radius")
Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-14-2024 12:15 AM

Hi @bond77s ,

not having your search (as also @isoutamo said) it's difficoult to help you, at least, please better describe your requirements.

anyway supponing that you have a search and you want to check if the hostname from the search is listed in the lookup and that MESSAGE_TEXT is a field in your main search and yu want only the events with this condition, you could try something like this:

index=your_index MESSAGE_TEXT="Radius" [ |inputlookup filename | rename hostname AS host | fields host ]
| ...

Then, if in your main search you have also a field called ip and you want to check both host and ip, you could try something like this:

index=your_index MESSAGE_TEXT="Radius" ([ |inputlookup filename | rename hostname AS host | fields host ] OR [ |inputlookup filename | fields ip ]

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-13-2024 11:08 PM
Can you add your whole SPL query here, as @ITWhisperer said, your example didn't contains any fields which have value Radius.
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-13-2024 02:36 PM

If your lookup only contains hostname, ip address and location, how will you find any events where MESSAGE_TEXT="Radius"?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...