Splunk Search

Refining the search through lookup

macadminrohit
Contributor

Hi,

Below is the search I am running on a set of servers in the lookup file , I don't want to run the search on all the hosts resulting from my main search that's why I am using the sub search (using inputlookup)

index=cohl host=mdc* [ | inputlookup COHL_Sourcetype | eval count=0 | stats count by sourcetype host] | where count==0 | table sourcetype host

But when I run the search I see the error :

Regex: invalid UTF-8 string

Can the experts let me know how to get rid of this error?

Tags (1)
0 Karma

woodcock
Esteemed Legend

What does this do:

| inputlookup COHL_Sourcetype

Does the above give you the error, too? If so, you definitely need to clean the file.

Also, the search definitely is broken even beyond this error. At a minimum, this | stats count by sourcetype host should be stats count by sourcetype host | table sourcetype host or maybe stats count by sourcetype host | table sourcetype or maybe stats count by sourcetype host | table host.

0 Karma

lguinn2
Legend

Splunk expects the lookup files to be in the UTF-8 character set, with normal line endings (Linux or Windows).
Here are the specific requirements from the Configure CSV lookups section of the Knowledge Manager manual. The file must also be in proper CSV format.

Many text editors can find and "zap" weird characters and clean up the line endings in a file. I think Notepad++ may do this, as will BBEdit and others.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Have you verified there are no weird characters in your inputlookup table?

0 Karma

macadminrohit
Contributor

No I don't see anything weird in the lookup file. Any way I can remove those characters if any?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Do you only want to run your search for host,sourcetype combination in subsearch where the value of field count in the subsearch is greater than 0? If yes then, you should include the where clause inside subsearch. Also, add a table command at the end of subsearch to only return the fields that you want to pass (and which are available in ) in base search.

index=cohl  [ | inputlookup COHL_Sourcetype | eval count=0 | stats count by sourcetype host | where count=0 | table sourcetype host] 
0 Karma

macadminrohit
Contributor

I tried your query but it doesn't work , to test it I placed 'where count >=0' , but it again gave me that error .

index=cohl host=mdc* [ | inputlookup COHL_Sourcetype | eval count=0 | stats count by sourcetype host | where count ==0 | table sourcetype host]

The above query doesn't return anything.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

index=cohl  [ | inputlookup COHL_Sourcetype | stats count by sourcetype host | where count=0 | table sourcetype host | format ] 

OR

index=cohl  [ | inputlookup COHL_Sourcetype | stats count by sourcetype host | where count=0 | table sourcetype host | format  "" "" "" "" "" ""] 
0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...