Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Question on how to use lookup file

Deepz2612
Explorer
‎10-24-2019 09:53 PM

I have a lookup file which has below 3 columns.

Exception_Name Exception_Keyword Comments
REXC RemoteException Alerted
JNEXC Exception-NullPointer Ignorable

Now in the logs when the Exception_Keyword occurs,It should look for the lookupfile and take the Exception_Name,Comments and give the result with host and count also.
And if the Exception_Keyword does not exists in lookup it should be listed as New..

Expected output as below :

Exception Name Host Count Comments
REXC ABC 27 Alerted
javanull ABC 3 New

Kindly help please.
Thanks!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-25-2019 03:11 AM

Hi Deepz2612,
it should be near your request:

index=your_index
| rename _raw as rawText
| eval pattern=[ 
    | inputlookup exceptions.csv
    | stats values(Exception_Keyword) AS query
    | eval query=mvjoin(query,",")
    | fields query
    | format "" "" "" "" "" ""
    ]
| eval pattern=split(pattern,",")
| mvexpand pattern
| eval pattern="%".pattern."%"
| eval check=if(like(rawText,pattern),pattern,"No")
| rex field=pattern "\%(?<pattern>[^\%]*)\%"
| lookup exceptions.csv Exception_Keyword AS pattern OUTPUT Exception_Name Comments
| fillnull value="New" Comments
| stats values(Comments) AS Comments count BY Exception_Name host

Ciao.
Giuseppe

0 Karma
Reply

woodcock
Esteemed Legend
‎10-25-2019 12:43 AM

Like this:

Your Search Here That Generates Exception_Name Exception_Keyword Comments columns
| lookup YourLookupHere.csv
| fillnull value="New" Comments
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...