Splunk Search

REX and Lookups


I am trying to use a lookup table after I rex out some logs.

Here is an example:
index=* source=messages
| rex field=_raw "ACTION:[\w]\s(?.*) CODE"
| outputlookup actions.csv action OUTPUT desc AS desc
| table _time action desc

Can anyone help? Am I doing it wrong?

0 Karma

Re: REX and Lookups

I think the display is eating some of your rex, so I'm not sure I can troubleshoot that part directly. If it's working at creating a field called action, then you should only need to revise your lookup line:

| lookup actions.csv action OUTPUT desc AS desc

That will work if the events contain a field called action. If they don't, (say, maybe they contain a field called ACTION), then you'd do this:

| lookup actions.csv action AS ACTION OUTPUT desc AS desc

The way you have it now, you are using the command outputlookup, which is used to literally "output a lookup file" (i.e. create a lookup file) rather than to use a lookup file to perform a lookup.

View solution in original post

0 Karma