I have a csv file containing 2 rows: EventCode and Message Summary
Have added the CSV as a lookup file and I can also read the CSV from splunk (| inputlookup filename.csv)
these are windows events,
I want to compare the windows event id's from Splunk and match them with the csv file and add the field "message summary"
the "message summary" give a short description of the event ID
You can do it in query -
index=event sourcetype=event_messages | lookup filename.csv EventCode as EventCode OUTPUT "Message Summary"
Let's assume that your sourcetype is WinEventLog:Security
and your lookup file is called EventCode.csv
.
On your Search Head, navigate to the app that should own the lookup file and then do:
Settings
-> Lookups
-> Lookup table files
-> New
-> Choose File
-> Save
Then do:
Settings
-> Lookups
-> Lookup definitions
-> New
-> Name(="EventCode")
-> Lookup file(="EventCode.csv")
-> Save
Then do:
Settings
-> Lookups
-> Automatic lookups
-> New
-> Name(=EventCodeAutoLookup)
-> Apply to sourcetype named(="WinEventLog:Security")
-> Lookup input fields(="EventCode")
-> Lookup output fields(="message summary")' ->
Save
debug/refresh` on the search head.
Then do a
No all events with a field EventCode
and sourcetype
of WinEventLog:Security
will automatically call lookup to get message summary
field values. You can skip the last step and do it manually within the search by adding | lookup EventCode EventCode OUTPUT "message summary"
.
You can do it in query -
index=event sourcetype=event_messages | lookup filename.csv EventCode as EventCode OUTPUT "Message Summary"
I get this eroror
Error in 'inputlookup' command: Invalid argument: 'EventCode'
did double check if the collum Event Code is parsed correctly from the CSV file and it is
Check the field EventCode in your lookup and in the raw Splunk events.
| lookup filename.csv <lookup-field1> AS <event-field1> OUTPUT "Message Summary"
Is there a space in one of the field names "Event Code" or are they both "EventCode"? Watch your capitalization also. Spelling needs to be exact.