hi
I have diffuclties to understand how inputlookup works
I use the search below
index="x" sourcetype=y source="z" EventCode=6008 which returns events
now I want to do the same check from a csv list
so i am doing
index="x" sourcetype=y source="z" EventCode=6008 [|inputlookup host.csv ]| stats count by host
but I have no results even if the is host from csv file which have eventcode=6008
is my query is wrong?
thanks for your help
@jip31 You can try below, also make sure the column name in your csv file is host and not Host or anything else.
index="x" sourcetype=y source="z" EventCode=6008 | lookup host.csv host OUTPUT host| stats count by host
@jip31 You can try below, also make sure the column name in your csv file is host and not Host or anything else.
index="x" sourcetype=y source="z" EventCode=6008 | lookup host.csv host OUTPUT host| stats count by host
Thanks
Yes it seems to be ok
last question
Could you confirm that index="x" sourcetype=y source="z" EventCode=6008 [|inputlookup host.csv host OUTPUT host] stats count by host is the same thing that index="x" sourcetype=y source="z" EventCode=6008 | lookup host.csv host OUTPUT host| stats count by host ?
@jip31 - With inputlookup you don't user the fieldname and OUTPUT. With inputlookup it will be
index="x" sourcetype=y source="z" EventCode=6008 [|inputlookup host.csv ]| stats count by host
Hi, what you are looking for, is called lookup, not inputlookup. inputlookup
is a leading command that just outputs a lookup file. Also, there is no need for the square brackets when using lookup. Just look at the examples mentioned in the docs. 🙂
Skalli
@jip31 try with the following subsearch in your query
[|inputlookup host.csv | table host]
thanks renjith but I have something strange
when I execute this for the host tutu I have events
index="x" sourcetype=y EventCode=* host=tutu
| dedup _time
| stats count(EventCode) as Total by host
| sort -Total limit=10
The host tutu exists in the CSV file but if I done this I have no results....
So it seems that the subsearch not working ...
index="x" sourcetype=y EventCode=*
| dedup _time [|inputlookup host.csv | table host]
| stats count(EventCode) as Total by host
| sort -Total limit=10
Have you an idea please??
Is this code is correct?
index="X" sourcetype=Y EventCode=*
[|lookup host.csv host OUTPUT host]
| stats count(EventCode) as Total by host
| sort -Total limit=10
Like I said, inputlookup is the wrong command for your use case.
ok ...
So i done
index="x" sourcetype=y source="z" EventCode=6008
| dedup _time
| lookup host.csv host
| stats count(EventCode) as Total by host
| sort -Total limit=10
But I have the message Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.
@ skalliger
[|inputlookup host.csv | table host] OR | lookup host.csv host are not the same??