Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lookup csv file, match codes and add field

erdalcan
New Member
‎04-24-2017 05:51 AM

I have a csv file containing 2 rows: EventCode and Message Summary
Have added the CSV as a lookup file and I can also read the CSV from splunk (| inputlookup filename.csv)
these are windows events,
I want to compare the windows event id's from Splunk and match them with the csv file and add the field "message summary"
the "message summary" give a short description of the event ID

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dineshraj9
Builder
‎04-24-2017 05:56 AM

You can do it in query -

index=event sourcetype=event_messages | lookup filename.csv EventCode as EventCode OUTPUT "Message Summary"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-24-2017 10:55 AM

Let's assume that your sourcetype is WinEventLog:Security and your lookup file is called EventCode.csv.

On your Search Head, navigate to the app that should own the lookup file and then do:
Settings -> Lookups -> Lookup table files -> New -> Choose File -> Save
Then do:
Settings -> Lookups -> Lookup definitions -> New -> Name(="EventCode") -> Lookup file(="EventCode.csv") -> Save
Then do:
Settings -> Lookups -> Automatic lookups -> New -> Name(=EventCodeAutoLookup) -> Apply to sourcetype named(="WinEventLog:Security") -> Lookup input fields(="EventCode") -> Lookup output fields(="message summary")' ->Save
Then do adebug/refresh` on the search head.

No all events with a field EventCode and sourcetype of WinEventLog:Security will automatically call lookup to get message summary field values. You can skip the last step and do it manually within the search by adding | lookup EventCode EventCode OUTPUT "message summary".

Reply
Solved! Jump to solution
Solution

dineshraj9
Builder
‎04-24-2017 05:56 AM

You can do it in query -

index=event sourcetype=event_messages | lookup filename.csv EventCode as EventCode OUTPUT "Message Summary"
0 Karma
Reply
Solved! Jump to solution

erdalcan
New Member
‎04-24-2017 06:28 AM

I get this eroror 

Error in 'inputlookup' command: Invalid argument: 'EventCode'

did double check if the collum Event Code is parsed correctly from the CSV file and it is

0 Karma
Reply
Solved! Jump to solution

dineshraj9
Builder
‎04-24-2017 06:30 AM

Check the field EventCode in your lookup and in the raw Splunk events.

| lookup filename.csv <lookup-field1> AS <event-field1> OUTPUT "Message Summary"

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎04-24-2017 08:48 AM

Is there a space in one of the field names "Event Code" or are they both "EventCode"? Watch your capitalization also. Spelling needs to be exact.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...