I have a search like this:
|inputlookup CSV-Generic-GenCus-GenLBL-SensitiveDataKeyWords.csv | map [search index="*" $keyword$ | eval kw=$keyword$, rex=$regex$ | regex($regex$)]
the results I get back from it are displayed as statistics, not as event, even though the search under the map obviously finds events. Is there a way to display them as events?
in my experience, the result you got when you using "inputlookup" function is a table, not events.
So if you want to mask or replace sensitive keywords from invoking CSV file, maybe the command order needs changes.
Here is my thought :
[ your data from index ] | lookup or append CSV file | map command
you will get events from search events first, and your using lookup or append function to process your data.
Have a try 🙂
1. Append, https://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Append
2. Map, http://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Map
3. inputlookup, http://docs.splunk.com/Documentation/Splunk/6.6.1/SearchReference/Inputlookup
Thank you for your answer, I am not surprised that the inputlookup gives me a table, I just want it to do a search for each record in the table and then show the resulting events.
Thanks for your suggestion
I am not sure that will achieve the same result though, and it looks like it would have to retieve all events first.
My current implementation is such that it is doing a keyword search for each keyword in the file.
which is running fairly efficiently.
If you already understand it's a table when using "inputlookup" function, and you really want to replace the value via table. You need carefully when processing the csv table format.
| inputlookup filename.csv ---> you will get a fieldname with value. and if you want to using pipeline | to process the previous data, you need using like this:
| inputlookup filename.csv | search sensitive_kw="12345"
All I want to express is it can't be type the command just like normal situation, like
index=test_indexname "12345" The second example you will get the result you are expected, however the first one not. So when you deal with the
inputlookupfunction, the fields name you want to process needs to specify in the SPL.
Hope this can help to solve your problem 🙂