Splunk Search

Why is my lookup search query not returning expected results?

mistergreen28
New Member

I've got a KeywordList.csv lookup table with 3 columns (URI, URI_Keyword, URI_KeywordType). URI is a pre-existing field in our log data, while URI_Keyword and URI_KeywordType are new fields that I'd like to enrich our events with. I've created a file based lookup (KeywordList) definition that is used in the same app context & permissions as the KeywordList.csv.

What I'm trying to do is search our URI field with the keywords from the URI field in the lookup table, and then output corresponding URI_Keyword and URI_KeywordType field data for those events.

My script below brings back a table that has blank URI_Keyword and URI_KeywordType fields.

index=tmg | search [|inputlookup KeywordList.csv | fields URI] | lookup KeywordList URI OUTPUTNEW URI_Keyword, URI_KeywordType | table URI_Keyword, URI_KeywordType, URI

When removing he "| fields URI" piece from the subsearch, I get no results.

What am I doing wrong?

0 Karma

woodcock
Esteemed Legend

You are misunderstanding what this portion does:

... [|inputlookup KeywordList.csv | fields URI] ...

Try typing this into your search bar:

| inputlookup KeywordList.csv | fields URI | format

Then try it without | fields URL like this:

| inputlookup KeywordList.csv | format

Now you should understand that the first part of your search should probably be this (which does the same thing that you have, but more clearly and efficiently):

index=tmg [|inputlookup KeywordList.csv | fields URI] | ...

And you should be able to take it from there (I am not sure what your end-game is).

0 Karma

peter_krammer
Communicator

try if one of these works for you:

index=tmg | search [|inputlookup KeywordList.csv | fields URI] | lookup KeywordList URI OUTPUT URI_Keyword, URI_KeywordType | table URI_Keyword, URI_KeywordType, URI

index=tmg | search [|inputlookup KeywordList.csv | fields URI] | lookup KeywordList URI | table URI_Keyword, URI_KeywordType, URI

index=tmg | lookup KeywordList URI | table URI_Keyword, URI_KeywordType, URI

Sorry I wrote a longer answer, but lost everything because of my browser, so this short answer is all you get from me at the moment.

0 Karma

mistergreen28
New Member

Thanks for the input. None of the modified scripts work. They all output blank URI_Keyword and URI_KeywordType fields.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...