Splunk Search

Lookup File Issues

Makinde
New Member

Hello I have multiple Questions about Lookup Files.

  1. Can you upload a lookup file into Splunk and search fields in the lookup file such that it returns values in those fields without having to correlate the result with any other search? If yes what is the syntax to do that? I tried typing | inputlookup UCMDB.csv | table Server_Name in Splunk but it isn't returning any values.
  2. I have a search string I have developed and displayed beautifully how I want it i.e. I have used the stats and table command to display it nicely. This result displays a field say Host_Name that contains the names of servers and host of other fields. I have a lookup file with a field called Server_name and a corresponding field called Owners. How do I pipe my beautifully displayed search string into the lookup table so it searches the Host_Name field against the Server_name field and adds the Owners field to the display against each server that is found in the lookup table?
  3. Just to clarify should I be able to search against the lookup file just by uploading it to Splunk in the lookup table manager? I want to confirm it works hence the question 1 so when I am troubleshooting question 2 I know the issue is not the lookup table rather my search string or something else.

Thanks

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust
  1. | inputlookup <lookup name> is the way to go. Possible reasons for non-workingness include being in the wrong app, having the wrong file name, having bad permissions, empty lookup files, etc. - also make sure to check the job inspector for any errors or warnings.
  2. Generally, you can use the rename command to change field names. Specifically to the lookup command, you can do | lookup <lookup name> <input> AS <renamed input> OUTPUT <output> AS <renamed output> to do on-the-fly renaming.
  3. Yes. http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/inputlookup

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust
  1. | inputlookup <lookup name> is the way to go. Possible reasons for non-workingness include being in the wrong app, having the wrong file name, having bad permissions, empty lookup files, etc. - also make sure to check the job inspector for any errors or warnings.
  2. Generally, you can use the rename command to change field names. Specifically to the lookup command, you can do | lookup <lookup name> <input> AS <renamed input> OUTPUT <output> AS <renamed output> to do on-the-fly renaming.
  3. Yes. http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/inputlookup

Makinde
New Member

Thanks Martin,

However I am not getting it working as expected.

  1. I still can't get it working. I am in the right app. I uploaded it to search. The excel sheet isn't empty and I granted it global permissions. If I wanted to return the values of all the server_names in the server name column. Would this search work; | inputlookup UCMDB.csv | table Server_Name?
  2. In the search string you provided, I don't see where I compare a field returned in the original search string against the field in the lookup table? What value is the input field? Is it for the original search string?
  3. I noticed i have to do somethings with transforms and props and stanza, is it compulsory I do it?
0 Karma

martin_mueller
SplunkTrust
SplunkTrust
0 Karma

Makinde
New Member

Thanks Martin,

I am able to get it all working, however I am trying to run search not specified in the knowledge base you suggested,

So now I have the various part of my search working, I would like to combine it all into one search string.

I have an original search to identify some vulnerabilities in my network, one of the fields in the search string is the Server_name field, however I want it to pull that information from my lookup file, so I am going to have to do a search in a search.

One challenge I have is my server names in Splunk are the FQDN but the server_name in my lookup file is just the server name not the FQDN so for me to get a match I need to use a wildcard (*) i.e. Server_name in Splunk is WLTYZ.domain.com while the server name in the lookup file is WLTYZ but I need my search string to match WLTYZ.domain.com in the search results when it uses the result WLTYZ from the lookup file.

I am thinking of putting the wildcard before and after the lookup search string so my search string looks like this;

index=main host_name=*[| inputlookup UCMDB.csv where MD="Ken Bell" | table "Server Name"]* | dedup host_name, qid | stats count by host_name

Do you think this will work? If not what would you recommend?

0 Karma

Makinde
New Member

Hey Martin, I got number 1 working, however I have another request with number one.

I have two fields say MD and Server_Name in the lookup file. I want to display Server_names for only a particular MD, How do I specify the MD name so it displays only Server_names where the MD matches the MD I specified?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Pipe to search:

| inputlookup <lookup> | search MD="foo"
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...