Splunk Search

lookup query - using the lookup list as a search filter

stephenreece
New Member

hi all,

i hope you can help. i have the below search where i a csn of 4000+sessionID's and i need to find a uniquereference from each of the sessions.

If i manually type in the session ID then it works fine but the lookup doesn't seem to want to work as a filter.
(Session= the lookup title and X-Session-ID is the event session id in splunk i am trying to match together before grabbing the uniquereference from the audit).

  • | lookup sessionslookup.csv Session | spath output=uniquereference1 input=detail.responseMessage path=reference1 | spath output=uniquereference2 input=detail.responseMessage path=reference2

| table Session X-Session-ID
| rename Session as X-Session-ID
| table X-Session-ID saUTR saUTR2

any ideas

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...