Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Lookup Tabel with UrLs

tmwhitm
New Member
‎06-06-2018 12:35 PM

Looking for assistance in creating a lookup table with UrLs, my syntax below does not work. Any ideas on how to use a lookup table with UrLs?

index="p*" [ | inputlookup UrL-Input | stats values(UrL) as url | format ] | stats count by src_ip,url,action
| sort action

The lookup table UrL-Input contains two columns, URL & Description.

Any assistance is appreciated.

Tom

Tags (2)
0 Karma
Reply

tmwhitm
New Member
‎06-07-2018 04:31 AM

Yes, my data had www.example.com so I added that verbatim to the lookup table but the data was not found until I added www.example.com to the lookup table.

0 Karma
Reply

tmwhitm
New Member
‎06-07-2018 04:20 AM

Jkat54,

Thank you. Before your post I was playing with the lookup table and found that when I added a wildcard at the beginning and end of the url, the SQL I have worked. Still trying to wrap my mind around why for even when I tested www.example.com and it existed in the data, it was not found until I added the wildcard.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-07-2018 04:26 AM

That sounds odd. Are you saying this “unpacked” search works?

(( url=value1))

But this doesn’t:

((url=value1))

Even though you have a field called url with “value1” in it...

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-06-2018 01:49 PM

Use this as your subsearch instead:

| inputlookup UrL-Input | rename UrL as url | format

Which will unpack to

... ( ( url=value1 ) OR( url=value2) OR ... )

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...