Hello I have multiple Questions about Lookup Files.
Thanks
| inputlookup <lookup name>
is the way to go. Possible reasons for non-workingness include being in the wrong app, having the wrong file name, having bad permissions, empty lookup files, etc. - also make sure to check the job inspector for any errors or warnings.rename
command to change field names. Specifically to the lookup
command, you can do | lookup <lookup name> <input> AS <renamed input> OUTPUT <output> AS <renamed output>
to do on-the-fly renaming.| inputlookup <lookup name>
is the way to go. Possible reasons for non-workingness include being in the wrong app, having the wrong file name, having bad permissions, empty lookup files, etc. - also make sure to check the job inspector for any errors or warnings.rename
command to change field names. Specifically to the lookup
command, you can do | lookup <lookup name> <input> AS <renamed input> OUTPUT <output> AS <renamed output>
to do on-the-fly renaming.Thanks Martin,
However I am not getting it working as expected.
Check out http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/lookup for explicitly calling a lookup in a search, and http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Addfieldsfromexternaldatasources for lookups in general.
Thanks Martin,
I am able to get it all working, however I am trying to run search not specified in the knowledge base you suggested,
So now I have the various part of my search working, I would like to combine it all into one search string.
I have an original search to identify some vulnerabilities in my network, one of the fields in the search string is the Server_name field, however I want it to pull that information from my lookup file, so I am going to have to do a search in a search.
One challenge I have is my server names in Splunk are the FQDN but the server_name in my lookup file is just the server name not the FQDN so for me to get a match I need to use a wildcard (*) i.e. Server_name in Splunk is WLTYZ.domain.com while the server name in the lookup file is WLTYZ but I need my search string to match WLTYZ.domain.com in the search results when it uses the result WLTYZ from the lookup file.
I am thinking of putting the wildcard before and after the lookup search string so my search string looks like this;
index=main host_name=*[| inputlookup UCMDB.csv where MD="Ken Bell" | table "Server Name"]* | dedup host_name, qid | stats count by host_name
Do you think this will work? If not what would you recommend?
Hey Martin, I got number 1 working, however I have another request with number one.
I have two fields say MD and Server_Name in the lookup file. I want to display Server_names for only a particular MD, How do I specify the MD name so it displays only Server_names where the MD matches the MD I specified?
Pipe to search
:
| inputlookup <lookup> | search MD="foo"