Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to use inputlookup and lookup together to filter events and then output a new field with value mappings

matthewb4
Path Finder
‎09-18-2017 02:10 PM

I have a lookup abc.csv with the following values...

**header1, header2**
value1a, value2a
value1b, value2b
value1c, value2c
value1d, value2d

I have a base query that I need to first filter a fieldX by only values contained in the lookup abc.csv header1 column. I understand that I can do this using something like, "[ | inputlookup abc.csv | fields fieldX]" but there are two problems here...

  1. my splunk fieldX does not have the same name as header1 (and I would like to keep them different).
  2. I need to use this lookup command after using several other pipes already, not directly after the base search query (this is because I have to first regex a different field to create the proper mapping values for fieldX)

Once the events are filtered, I need use the same lookup file abc.csv to output a new field with the values in header 2.

Correct me if I'm wrong but I believe i have to do it this way because it won't let me just use the lookup command (and forego inputlookup altogether) as most of the values in fieldX aren't present in header1 and i get this error... ** "Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table" **

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-18-2017 05:29 PM

I don't say this much, but altogether, it looks like this is a candidate for join.

 "MY SEARCH" 
 | eval splitField=split(fieldA,"-") 
 | eval temp=lower(mvindex(splitField,0)) 
 | rex field=temp "service:(?<fieldX>.*)" 
 | join fieldX [|inputlookup abc.csv | rename header1 as fieldX ]

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-18-2017 05:29 PM

I don't say this much, but altogether, it looks like this is a candidate for join.

 "MY SEARCH" 
 | eval splitField=split(fieldA,"-") 
 | eval temp=lower(mvindex(splitField,0)) 
 | rex field=temp "service:(?<fieldX>.*)" 
 | join fieldX [|inputlookup abc.csv | rename header1 as fieldX ]
Reply
Solved! Jump to solution

matthewb4
Path Finder
‎09-19-2017 09:34 AM

hey that worked, thank you

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-18-2017 02:34 PM

You get option to rename lookup field names with inputlookup/lookup command use.
E.g. for inputlookup as filter

[ | inputlookup abc.csv | table header1 | rename header1 as fieldX ]

and for lookup 

your search | lookup abc.csv header1 as fieldX OUTPUT header2 as newFieldNameThatYouWant

I would suggest reading lookup command documentation to learn more about lookup command, it's syntax and available options.

Reply
Solved! Jump to solution

matthewb4
Path Finder
‎09-18-2017 02:59 PM

I'm not sure this will work for me as I don't have fieldX correctly 'configured' until several pipes after the base search query (As follows)...

"MY SEARCH" | eval splitField=split(fieldA,"-") | eval temp=lower(mvindex(splitField,0)) | rex field=temp "service:(?<fieldX>.*)" | ........

If I try to insert the lookup command after the last pipe above I get the following error "Subsearches are only valid as arguments to commands"

Also, does the above inputlookup syntax you mentioned actually filter out filedX values not contained in header1? What does the 'table' portion do, I feel like it is not intuitive after looking through http://docs.splunk.com/Documentation/Splunk/6.3.5/SearchReference/Inputlookup

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...