Hi
can anyone help me with a lookup table
i have a 2 column lookup with column headings IPs and URLs, and i want to see if information in either csv field appears in the index data at all
some fields on the csv just have a url, some just have an ip , some both
is there a search string that will search the contents of either column against data held in index
Thanks in advance
Helppppp
it works using a single column ( match) lookup with the syntax below, thanks for all your help
index="wss_events" sourcetype=symantec:websecurityservice:scwss-poll [| inputlookup "WSSIOC4.csv" | rename match as query | fields query ]
Hi @splunkyboy2,
you could run something like this:
your_search ([ | inputlookup your_lookup | rename IP AS query | fields query ] OR [ | inputlookup your_lookup | rename URL AS query | fields query ])
| ...
Ciao.
Giuseppe
Thanks for the reply, im new to splunk, so pardon my silly questions
how would i script a search that compares ether column of the lookup against data in the index using what you sent , would that be
index=myindex ( [ | inputlookup my lookup | rename IPs as query | fields query ] OR [ | inputlookup my lookup | rename URLs as query | fields query ] )
thanks for your help
your_search ([ | inputlookup your_lookup | rename IP AS query | fields query ] OR [ | inputlookup your_lookup | rename URL AS query | fields query ])
Hi @splunkyboy2,
if you rename a field in a subsearch "AS query", you use the results of the subsearch as free text search in the main search and not only in a field as usual.
You have to use two subsearches because you have two columns to use in the search.
Ciao.
Giuseppe
so is this the search i need to run below ?
index=myindex ( [ | inputlookup my lookup | rename IPs as query | fields query ] OR [ | inputlookup my lookup | rename URLs as query | fields query ] )
hi @splunkyboy2,
yes, try this and see results, to understand if it's Ok or if you have to modify something:
index=myindex ( [ | inputlookup mylookup | rename IPs as query | fields query ] OR [ | inputlookup mylookup | rename URLs as query | fields query ] )
Ciao.
Giuseppe
i put an ip address i found in my data into the lookup to test the search, but it didnt bring back any results
as i dont really understand the search, its hard to see where its not working i guess
i tried breaking it down , but no results
i have made a new lookup with two columns , one called info is a mix of ip addresses and urls, and the second column just has the word match against all fields
i tried the search index=xxxxxxx | inputlookup xxxxx.csv | rename info as query | fields query
should that work if anything in the info field is present in the data ?
Hi @splunkyboy2,
maybe there a representation problem, but you have to use square brackets for subsearches (use Insert/Edit Code Cample for codes):
index=xxxxxxx [| inputlookup xxxxx.csv | rename info as query | fields query ]
| ...
using only one colums obviously semplify your search.
Ciao.
Giuseppe
it works using a single column ( match) lookup with the syntax below, thanks for all your help
index="wss_events" sourcetype=symantec:websecurityservice:scwss-poll [| inputlookup "WSSIOC4.csv" | rename match as query | fields query ]