Solved: csv lookup based on search results add knowledge

r999 · ‎09-06-2012

i have search which produces results as follows

UserID            Action
domain\aas1234    blah blah
domain\aas1235    blah blah

I have csv file like so

ID           FirstName  SecondName
aas1234      Joe        Bloggs
aas1235      Dave       Smith

I want to add the fristName and SecondName to the results by looking up based on the the Searcgh results. i can see documebntation how to do this in props&trandsforms.conf but how do i do this at search time in the search bar?

im aiming for the follwing result:

UserID            Action         FirstName SecondName
domain\aas1234    blah blah        Joe       Bloggs
domain\aas1235    blah blah

gkanapathy · ‎09-06-2012

First, note that lookups configured in props.conf/transforms.conf are done at search time. The lookup search command offers basically the same functionality as configurations in props.conf/transforms.conf. The difference is simply that the configuration causes the command to run automatically and invisibly at search time, rather than explicitly. (Automatic config also lets you perform reverse-lookup searches more transparently.)

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup

View solution in original post

gkanapathy · ‎09-06-2012

First, note that lookups configured in props.conf/transforms.conf are done at search time. The lookup search command offers basically the same functionality as configurations in props.conf/transforms.conf. The difference is simply that the configuration causes the command to run automatically and invisibly at search time, rather than explicitly. (Automatic config also lets you perform reverse-lookup searches more transparently.)

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup

csv lookup based on search results add knowledge

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout