Splunk Search

Search for IDS with inputlookup

Aaron283
Explorer

So this may be a pretty easy task, however I am not getting it to work the way I want it:

so here is my problem:

I have CSV with 3 columns
id,uid,role
1,2342334,master
2,2342334,slave
3,34234234,master
(...)

Now I want a search on my index that returns me all data where the uid is in the csv.
What I did so far is the following :

index = myindex [ |inputlookup mycsv.csv | fields 10000 $uid ]

However this solution is not perfect.
What I would wanted to achieve should be like this
index= 
myindex uid=2342334 or uid =34234234 or uid=(..)

Any ideas?

Labels (1)
0 Karma
1 Solution

aasabatini
Motivator

Hi  @Aaron283 

you have on your lookup table these fields

ROLE UID and ID

on your dataset you need ID field to match the data no UID field

index = myindex | lookup mycsv.csv ID OUTPUT UID

if you don't have any ID field  on your dataset you can create you ID field with eval comand

https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/Eval

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

View solution in original post

aasabatini
Motivator

Hi Aaron

you can use directly the lookup comand

 

https://docs.splunk.com/Documentation/SCS/current/SearchReference/LookupCommandExamples

 

inputlookup works different, you can search inside on your lookup table, with the lookup comand you can enrich your data.

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

aasabatini
Motivator

sure

Basically you must have one field on your data present on the lookup table

by hypothesis will be "ID" field.

example

index = myindex | lookup  mycsvfile ID OUTPUT UID ROLE | 

with the association the field you can find the fields present on the lookup table to enrich your data set.

would be nice if you can confirm the solution

Thanks!

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

Aaron283
Explorer

Sorry for the trouble, but I am still not sure if I understand it right.
so by doing "index = myindex | lookup mycsv.csv UID OUTPUT UID | " all UIDs that are in mycsv.csv will be returned?

0 Karma

aasabatini
Motivator

Exactly

with this search you can find your UID values on your dataset.

I really appreciate if you can confirm the solution

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

Aaron283
Explorer

Will do so 🙂
However it seems not to work for me, or I am still not fully understanding it.
The UID is not part of index. the value I want to match the UID COLUMN from the CSV is in a JSON sth like this. things.attributes.UIDThingNumber

So I want to do something like this:
index = myindex "things.attributes.UIDThingNumber"=123 or 456 or 789 and that does not seem to work the way you described it .

I am really sorry if I haven't explained it right

0 Karma

aasabatini
Motivator

Hi  @Aaron283 

you have on your lookup table these fields

ROLE UID and ID

on your dataset you need ID field to match the data no UID field

index = myindex | lookup mycsv.csv ID OUTPUT UID

if you don't have any ID field  on your dataset you can create you ID field with eval comand

https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/Eval

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

Aaron283
Explorer

I think I have much to learn. Still not getting it but thanks for the help

0 Karma

Aaron283
Explorer

thanks for the fast reply. Could you give me a short example?

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...