Splunk Search

Lookup csv file, match codes and add field

erdalcan
New Member

I have a csv file containing 2 rows: EventCode and Message Summary
Have added the CSV as a lookup file and I can also read the CSV from splunk (| inputlookup filename.csv)
these are windows events,
I want to compare the windows event id's from Splunk and match them with the csv file and add the field "message summary"
the "message summary" give a short description of the event ID

Tags (1)
0 Karma
1 Solution

dineshraj9
Builder

You can do it in query -

index=event sourcetype=event_messages | lookup filename.csv EventCode as EventCode OUTPUT "Message Summary"

View solution in original post

0 Karma

woodcock
Esteemed Legend

Let's assume that your sourcetype is WinEventLog:Security and your lookup file is called EventCode.csv.

On your Search Head, navigate to the app that should own the lookup file and then do:
Settings -> Lookups -> Lookup table files -> New -> Choose File -> Save
Then do:
Settings -> Lookups -> Lookup definitions -> New -> Name(="EventCode") -> Lookup file(="EventCode.csv") -> Save
Then do:
Settings -> Lookups -> Automatic lookups -> New -> Name(=EventCodeAutoLookup) -> Apply to sourcetype named(="WinEventLog:Security") -> Lookup input fields(="EventCode") -> Lookup output fields(="message summary")' ->Save
Then do a
debug/refresh` on the search head.

No all events with a field EventCode and sourcetype of WinEventLog:Security will automatically call lookup to get message summary field values. You can skip the last step and do it manually within the search by adding | lookup EventCode EventCode OUTPUT "message summary".

dineshraj9
Builder

You can do it in query -

index=event sourcetype=event_messages | lookup filename.csv EventCode as EventCode OUTPUT "Message Summary"
0 Karma

erdalcan
New Member

I get this eroror

Error in 'inputlookup' command: Invalid argument: 'EventCode' 

did double check if the collum Event Code is parsed correctly from the CSV file and it is

0 Karma

dineshraj9
Builder

Check the field EventCode in your lookup and in the raw Splunk events.

| lookup filename.csv <lookup-field1> AS <event-field1> OUTPUT "Message Summary"

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Is there a space in one of the field names "Event Code" or are they both "EventCode"? Watch your capitalization also. Spelling needs to be exact.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...