Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- baic question on inputlookup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi
I have diffuclties to understand how inputlookup works
I use the search below
index="x" sourcetype=y source="z" EventCode=6008 which returns events
now I want to do the same check from a csv list
so i am doing
index="x" sourcetype=y source="z" EventCode=6008 [|inputlookup host.csv ]| stats count by host
but I have no results even if the is host from csv file which have eventcode=6008
is my query is wrong?
thanks for your help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jip31 You can try below, also make sure the column name in your csv file is host and not Host or anything else.
index="x" sourcetype=y source="z" EventCode=6008 | lookup host.csv host OUTPUT host| stats count by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jip31 You can try below, also make sure the column name in your csv file is host and not Host or anything else.
index="x" sourcetype=y source="z" EventCode=6008 | lookup host.csv host OUTPUT host| stats count by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks
Yes it seems to be ok
last question
Could you confirm that index="x" sourcetype=y source="z" EventCode=6008 [|inputlookup host.csv host OUTPUT host] stats count by host is the same thing that index="x" sourcetype=y source="z" EventCode=6008 | lookup host.csv host OUTPUT host| stats count by host ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jip31 - With inputlookup you don't user the fieldname and OUTPUT. With inputlookup it will be
index="x" sourcetype=y source="z" EventCode=6008 [|inputlookup host.csv ]| stats count by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, what you are looking for, is called lookup, not inputlookup. inputlookup is a leading command that just outputs a lookup file. Also, there is no need for the square brackets when using lookup. Just look at the examples mentioned in the docs. 🙂
Skalli
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jip31 try with the following subsearch in your query
[|inputlookup host.csv | table host]
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks renjith but I have something strange
when I execute this for the host tutu I have events
index="x" sourcetype=y EventCode=* host=tutu
| dedup _time
| stats count(EventCode) as Total by host
| sort -Total limit=10
The host tutu exists in the CSV file but if I done this I have no results....
So it seems that the subsearch not working ...
index="x" sourcetype=y EventCode=*
| dedup _time [|inputlookup host.csv | table host]
| stats count(EventCode) as Total by host
| sort -Total limit=10
Have you an idea please??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this code is correct?
index="X" sourcetype=Y EventCode=*
[|lookup host.csv host OUTPUT host]
| stats count(EventCode) as Total by host
| sort -Total limit=10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like I said, inputlookup is the wrong command for your use case.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok ...
So i done
index="x" sourcetype=y source="z" EventCode=6008
| dedup _time
| lookup host.csv host
| stats count(EventCode) as Total by host
| sort -Total limit=10
But I have the message Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ skalliger
[|inputlookup host.csv | table host] OR | lookup host.csv host are not the same??
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
