Question on how to use lookup file

Deepz2612 · ‎10-24-2019

I have a lookup file which has below 3 columns.

Exception_Name Exception_Keyword Comments
REXC RemoteException Alerted
JNEXC Exception-NullPointer Ignorable

Now in the logs when the Exception_Keyword occurs,It should look for the lookupfile and take the Exception_Name,Comments and give the result with host and count also.
And if the Exception_Keyword does not exists in lookup it should be listed as New..

Expected output as below :

Exception Name Host Count Comments
REXC ABC 27 Alerted
javanull ABC 3 New

Kindly help please.
Thanks!

gcusello · ‎10-25-2019

Hi Deepz2612,
it should be near your request:

index=your_index
| rename _raw as rawText
| eval pattern=[ 
    | inputlookup exceptions.csv
    | stats values(Exception_Keyword) AS query
    | eval query=mvjoin(query,",")
    | fields query
    | format "" "" "" "" "" ""
    ]
| eval pattern=split(pattern,",")
| mvexpand pattern
| eval pattern="%".pattern."%"
| eval check=if(like(rawText,pattern),pattern,"No")
| rex field=pattern "\%(?<pattern>[^\%]*)\%"
| lookup exceptions.csv Exception_Keyword AS pattern OUTPUT Exception_Name Comments
| fillnull value="New" Comments
| stats values(Comments) AS Comments count BY Exception_Name host

Ciao.
Giuseppe

woodcock · ‎10-25-2019

Like this:

Your Search Here That Generates Exception_Name Exception_Keyword Comments columns
| lookup YourLookupHere.csv
| fillnull value="New" Comments

Question on how to use lookup file

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?