Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: baic question on inputlookup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi
I have diffuclties to understand how inputlookup works
I use the search below
index="x" sourcetype=y source="z" EventCode=6008 which returns events
now I want to do the same check from a csv list
so i am doing
index="x" sourcetype=y source="z" EventCode=6008 [|inputlookup host.csv ]| stats count by host
but I have no results even if the is host from csv file which have eventcode=6008
is my query is wrong?
thanks for your help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jip31 You can try below, also make sure the column name in your csv file is host and not Host or anything else.
index="x" sourcetype=y source="z" EventCode=6008 | lookup host.csv host OUTPUT host| stats count by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jip31 You can try below, also make sure the column name in your csv file is host and not Host or anything else.
index="x" sourcetype=y source="z" EventCode=6008 | lookup host.csv host OUTPUT host| stats count by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks
Yes it seems to be ok
last question
Could you confirm that index="x" sourcetype=y source="z" EventCode=6008 [|inputlookup host.csv host OUTPUT host] stats count by host is the same thing that index="x" sourcetype=y source="z" EventCode=6008 | lookup host.csv host OUTPUT host| stats count by host ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jip31 - With inputlookup you don't user the fieldname and OUTPUT. With inputlookup it will be
index="x" sourcetype=y source="z" EventCode=6008 [|inputlookup host.csv ]| stats count by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, what you are looking for, is called lookup, not inputlookup. inputlookup is a leading command that just outputs a lookup file. Also, there is no need for the square brackets when using lookup. Just look at the examples mentioned in the docs. 🙂
Skalli
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jip31 try with the following subsearch in your query
[|inputlookup host.csv | table host]
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks renjith but I have something strange
when I execute this for the host tutu I have events
index="x" sourcetype=y EventCode=* host=tutu
| dedup _time
| stats count(EventCode) as Total by host
| sort -Total limit=10
The host tutu exists in the CSV file but if I done this I have no results....
So it seems that the subsearch not working ...
index="x" sourcetype=y EventCode=*
| dedup _time [|inputlookup host.csv | table host]
| stats count(EventCode) as Total by host
| sort -Total limit=10
Have you an idea please??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this code is correct?
index="X" sourcetype=Y EventCode=*
[|lookup host.csv host OUTPUT host]
| stats count(EventCode) as Total by host
| sort -Total limit=10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like I said, inputlookup is the wrong command for your use case.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok ...
So i done
index="x" sourcetype=y source="z" EventCode=6008
| dedup _time
| lookup host.csv host
| stats count(EventCode) as Total by host
| sort -Total limit=10
But I have the message Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ skalliger
[|inputlookup host.csv | table host] OR | lookup host.csv host are not the same??
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
