So this may be a pretty easy task, however I am not getting it to work the way I want it:
so here is my problem:
I have CSV with 3 columns
id,uid,role
1,2342334,master
2,2342334,slave
3,34234234,master
(...)
Now I want a search on my index that returns me all data where the uid is in the csv.
What I did so far is the following :
index = myindex [ |inputlookup mycsv.csv | fields 10000 $uid ]
However this solution is not perfect.
What I would wanted to achieve should be like this
index= myindex uid=2342334 or uid =34234234 or uid=(..)
Any ideas?
Hi @Aaron283
you have on your lookup table these fields
ROLE UID and ID
on your dataset you need ID field to match the data no UID field
index = myindex | lookup mycsv.csv ID OUTPUT UID
if you don't have any ID field on your dataset you can create you ID field with eval comand
https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/Eval
Hi Aaron
you can use directly the lookup comand
https://docs.splunk.com/Documentation/SCS/current/SearchReference/LookupCommandExamples
inputlookup works different, you can search inside on your lookup table, with the lookup comand you can enrich your data.
sure
Basically you must have one field on your data present on the lookup table
by hypothesis will be "ID" field.
example
index = myindex | lookup mycsvfile ID OUTPUT UID ROLE |
with the association the field you can find the fields present on the lookup table to enrich your data set.
would be nice if you can confirm the solution
Thanks!
Sorry for the trouble, but I am still not sure if I understand it right.
so by doing "index = myindex | lookup mycsv.csv UID OUTPUT UID | " all UIDs that are in mycsv.csv will be returned?
Exactly
with this search you can find your UID values on your dataset.
I really appreciate if you can confirm the solution
Will do so 🙂
However it seems not to work for me, or I am still not fully understanding it.
The UID is not part of index. the value I want to match the UID COLUMN from the CSV is in a JSON sth like this. things.attributes.UIDThingNumber
So I want to do something like this:
index = myindex "things.attributes.UIDThingNumber"=123 or 456 or 789 and that does not seem to work the way you described it .
I am really sorry if I haven't explained it right
Hi @Aaron283
you have on your lookup table these fields
ROLE UID and ID
on your dataset you need ID field to match the data no UID field
index = myindex | lookup mycsv.csv ID OUTPUT UID
if you don't have any ID field on your dataset you can create you ID field with eval comand
https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/Eval
I think I have much to learn. Still not getting it but thanks for the help