Hello, i need help.
I have 6500 IIN (like id) and put this id to lookup then tried search: index=alfa [|inputlookup IIN_oleg.csv |rename IIN as search | fields search]
They given result only for one firs IIN in lookup.
If i search whit out lookup just 10 IIN whit "OR" the give me 10 result
Try this,
index=alfa [|inputlookup IIN_oleg.csv |rename IIN as search | table search | format "(" "(" "AND" ")" "OR" ")"]
One more thing I observed in my instance. Incase if may OR conditions the search it self is getting break.. So can you please run your search and check the job inspect? Is that any error?
start search index=alfa [|inputlookup IIN_oleg.csv |rename IIN as search | fields search]
search.log
08-05-2021 12:36:55.531 ERROR LookupProviderFactory - Must specify one or more lookup fields.
08-05-2021 12:36:54.743 INFO SearchParser - PARSING: search index=alfa [|inputlookup IIN_oleg.csv |rename IIN as search | fields search] |
08-05-2021 12:36:55.531 ERROR LookupProviderFactory - Must specify one or more lookup fields. 08-05-2021 12:36:55.531 ERROR AutoLookupDriver - Could not load lookup='LOOKUP-cisco_asa_ids_lookup' reason='Error in 'lookup' command: Must specify one or more lookup fields.' 08-05-2021 12:36:55.531 ERROR LookupProviderFactory - Must specify one or more lookup fields. 08-05-2021 12:36:55.531 ERROR AutoLookupDriver - Could not load lookup='LOOKUP-cisco_asa_intrusion_severity_lookup' reason='Error in 'lookup' command: Must specify one or more lookup fields.'
i can not find in logs why the thake only firs value in lookup. I think the problem in query
Try this,
index=alfa [|inputlookup IIN_oleg.csv |rename IIN as search | table search | format "(" "(" "AND" ")" "OR" ")"]
cool
Glad to help you 🙂
!! Happy Splunking !!
No, not give any result 😔
Can you please try this?
index=alfa
| rex field=_raw "parameter\sname=\\\\\"(?<name>.*)\\\\\"\svalue=\\\\\"(?<value>\d+)\\\\\"\/>"
| where name="IIN"
| stats count by value
KV
we dont have field like IIN in index data
index=alfa | rex field=_raw "parameter\sname=\\\\\"(?<name>.*)\\\\\"\svalue=\\\\\"(?<value>\d+)\\\\\"\/>" | where name="IIN" | stats count by value
Result 0
OK
Then how you want to map with IIN_oleg.csv?
lookup data
data in index
Thanks @Dmitriy
Are you able to extract name and value fields from events?
index=alfa name="IIN" | stats count by value
Is this query working for you?
If Not can you please share sample _raw event, so I can help you on extraction also.
KV
If you have same field name then you can try like this.
index = alfa
| lookup IIN_oleg.csv IIN output IIN as IIN_1
| where isnotnull(IIN_1)
KV