Splunk Search

Use lookup to retrieve query value

bdruth
Path Finder

Good evening.

I have a query that currently does what I need it to do, searching on a particular value, "foo". This is tied to a form view, so users can simply enter "foo" in a box and the fairly intricate search retrieves what they need. Great. The log events in Splunk reference the value "foo", but it turns out the users actually don't have access to the values for "foo". They only know things by a different value, "bar". There's a backend database somewhere that creates a unique value "bar" for every unique value "foo". Thankfully, we have a CSV extract from the database with two columns, "foo" and "bar" ~2100 of them.

I've been going through the lookup documentation in the Splunk KnowledgeBase as well as here on Splunk>answers, but I'm still at a loss. I don't think using the subsearch as I've seen is what I want, or if it is, I'm not sure how to use it. I need to have the user enter "bar" and lookup the corresponding value for "foo" in the CSV Lookup so the search query is actually referencing the value for "foo" (the value for "bar" doesn't appear in any of our events).

I'm thinking what I need is something like:

[inputlookup lookup.csv | fields foo,bar | where bar=$bar$ | fields foo]

At least, conceptually, that's what I'm thinking, I guess ...

Tags (2)

bdruth
Path Finder

I think I got it ... I was pretty close 🙂

[inputlookup lookup.csv | where bar=$bar$ | return 1 foo]

Pro-tip: you can see what the subsearch is going to return by just doing

| inputlookup lookup.csv

and then starting to tack things on from there. Debugging a subsearch blackbox (as in, inline with the rest of your search) is murder.

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...