Splunk Search

display results from map on inputlookup as events

Path Finder

I have a search like this:

|inputlookup CSV-Generic-GenCus-GenLBL-SensitiveDataKeyWords.csv | map [search index="*" $keyword$ | eval kw=$keyword$, rex=$regex$ | regex($regex$)]

the results I get back from it are displayed as statistics, not as event, even though the search under the map obviously finds events. Is there a way to display them as events?

0 Karma
1 Solution

Esteemed Legend

It is not possible; the minute that you mix your search stream with inputlookup, you lose the Events tab, period.

View solution in original post

0 Karma

Esteemed Legend

It is not possible; the minute that you mix your search stream with inputlookup, you lose the Events tab, period.

View solution in original post

0 Karma

Path Finder

That's good to know.

0 Karma

Explorer

Hi fvegdom,

in my experience, the result you got when you using "inputlookup" function is a table, not events.
So if you want to mask or replace sensitive keywords from invoking CSV file, maybe the command order needs changes.

Here is my thought :
[ your data from index ] | lookup or append CSV file | map command
you will get events from search events first, and your using lookup or append function to process your data.

Have a try 🙂

Ref:
1. Append, https://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Append
2. Map, http://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Map
3. inputlookup, http://docs.splunk.com/Documentation/Splunk/6.6.1/SearchReference/Inputlookup

0 Karma

Path Finder

Thank you for your answer, I am not surprised that the inputlookup gives me a table, I just want it to do a search for each record in the table and then show the resulting events.

Thanks for your suggestion
I am not sure that will achieve the same result though, and it looks like it would have to retieve all events first.

My current implementation is such that it is doing a keyword search for each keyword in the file.
which is running fairly efficiently.

0 Karma

Explorer

If you already understand it's a table when using "inputlookup" function, and you really want to replace the value via table. You need carefully when processing the csv table format.

For example,

| inputlookup filename.csv ---> you will get a fieldname with value. and if you want to using pipeline | to process the previous data, you need using like this:

| inputlookup filename.csv | search sensitive_kw="12345"

All I want to express is it can't be type the command just like normal situation, like
index=test_indexname "12345" The second example you will get the result you are expected, however the first one not. So when you deal with the inputlookupfunction, the fields name you want to process needs to specify in the SPL.

Hope this can help to solve your problem 🙂

0 Karma