Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

output lookup search correlation with input lookup data

brdr
Contributor
‎04-23-2018 10:28 AM

Hello, can you use a output lookup table just after creating it? I have this search...

index=indexA sourcetype=mystA | table src | outputlookup new.csv
| search index=indexB sourcetype=mystB [| inputlookup new.csv | rename src as src_ip ]
| table user
| lookup user.csv AS user OUTPUT displayName

When I run this I get no data found, however, when I separate out the outputlookup command and the subsearch and run I get results as expected.

0 Karma
Reply

brdr
Contributor
‎04-23-2018 12:40 PM

reposted initially as an Answer: reposting as a comment:

My use case is:
I need a count of users by there business units. To do this I do:
output list IPs as seen in blue coat logs
index=indexA sourcetype=mystA | table src | outputlookup new.csv
using this list (new.csv) match on IP to get user name from our authentication data (indexB) to display business unit
| search index=indexB sourcetype=mystB [| inputlookup new.csv | table src | rename src as src_ip ]
| table user
| lookup user.csv uname as user OUTPUT displayName businessUnit
| stats count by businessUnit

0 Karma
Reply

brdr
Contributor
‎04-23-2018 11:21 AM

My use case is:

I need a count of users by there business units. To do this I do:

  • output list IPs as seen in blue coat logs
    index=indexA sourcetype=mystA | table src | outputlookup new.csv

  • using this list (new.csv) match on IP to get user name from our authentication data (indexB) to display business unit
    | search index=indexB sourcetype=mystB [| inputlookup new.csv | table src | rename src as src_ip ]
    | table user
    | lookup user.csv uname as user OUTPUT displayName businessUnit
    | stats count by businessUnit

0 Karma
Reply

somesoni2
Revered Legend
‎04-23-2018 10:59 AM

I don't think you can do that. What's your use case here?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...