- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Lookup csv file, match codes and add field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a csv file containing 2 rows: EventCode and Message Summary
Have added the CSV as a lookup file and I can also read the CSV from splunk (| inputlookup filename.csv)
these are windows events,
I want to compare the windows event id's from Splunk and match them with the csv file and add the field "message summary"
the "message summary" give a short description of the event ID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do it in query -
index=event sourcetype=event_messages | lookup filename.csv EventCode as EventCode OUTPUT "Message Summary"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's assume that your sourcetype is WinEventLog:Security and your lookup file is called EventCode.csv.
On your Search Head, navigate to the app that should own the lookup file and then do:
Settings -> Lookups -> Lookup table files -> New -> Choose File -> Save
Then do:
Settings -> Lookups -> Lookup definitions -> New -> Name(="EventCode") -> Lookup file(="EventCode.csv") -> Save
Then do:
Settings -> Lookups -> Automatic lookups -> New -> Name(=EventCodeAutoLookup) -> Apply to sourcetype named(="WinEventLog:Security") -> Lookup input fields(="EventCode") -> Lookup output fields(="message summary")' ->Save
Then do a
No all events with a field EventCode and sourcetype of WinEventLog:Security will automatically call lookup to get message summary field values. You can skip the last step and do it manually within the search by adding | lookup EventCode EventCode OUTPUT "message summary".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do it in query -
index=event sourcetype=event_messages | lookup filename.csv EventCode as EventCode OUTPUT "Message Summary"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I get this eroror
Error in 'inputlookup' command: Invalid argument: 'EventCode'
did double check if the collum Event Code is parsed correctly from the CSV file and it is
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check the field EventCode in your lookup and in the raw Splunk events.
| lookup filename.csv <lookup-field1> AS <event-field1> OUTPUT "Message Summary"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a space in one of the field names "Event Code" or are they both "EventCode"? Watch your capitalization also. Spelling needs to be exact.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
