Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search using Inputlookup with wildcard field - unable to retain wildcard key in result

rahul0621
Explorer
‎06-10-2020 09:59 PM

I am using inputlookup in a search query and search key in table (test.csv) has wildcard as shown below.

FILENAMEEMAIL
abc*test1@a.com
xyz*test2@a.com

 

The query should match fname in log file with FILENAME from lookup table and if there's a match then result should be something like:

FILENAMEEMAILcnt
abc*test1@a.com2
xyz*test2@a.com0

 

Instead my query output is:

fnameEMAILcount
abc*test1@a.com0
abc123.txt 1
abc.dat 1
xyz*test2@a.com

0

 

This is my query:

index=* host=* source="/bustools/*"
| rex max_match=100 "\d+\d+\s(?<ts>.*)\s(?<directory>\/.*)\/(?<fname>.*)"
| dedup fname
| search [ | inputlookup test.csv | rename FILENAME AS fname
| fields fname]
| stats count as occur by fname | append
[ inputlookup test.csv | rename FILENAME AS fname | fields fname]
| fillnull occur
| stats sum(occur) as cnt BY fname
| join type=left fname
[ | inputlookup test.csv | rename FILENAME AS fname]
| table fname EMAIL cnt

Any help would be appreciated.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-11-2020 01:07 AM

@rahul0621 

I have change the approach for your requirement. May me useful for you. Can you please try below search?

 

| inputlookup test.csv | eval fname = FILENAME | map search="index=* host=* source="/bustools/*" | rex max_match=100 "\d+\d+\s(?<ts>.*)\s(?<directory>\/.*)\/(?<fname>.*)" | dedup fname | search fname="$fname$" | stats count by fname | appendcols [ | makeresults |eval FILENAME="$FILENAME$",EMAIL="$EMAIL$"] | filldown FILENAME EMAIL " | fillnull count | stats sum(count) by FILENAME,EMAIL

 

Note:

 

This is my Sample Search in case you want to trace logic:

| makeresults | eval FILENAME="splunk_*",EMAIL="test1@a.com" | append [ | makeresults | eval FILENAME="splunkd_*",EMAIL="test2@a.com"] | append [ | makeresults | eval FILENAME="splunks_*",EMAIL="test3@a.com"] | table FILENAME EMAIL | rename comments as "This is lookup data" | eval fname = FILENAME | map search="search index=_internal | rename sourcetype as fname | dedup fname | search fname="$fname$" | stats count by fname | appendcols [ | makeresults |eval FILENAME="$FILENAME$",EMAIL="$EMAIL$"] | filldown FILENAME EMAIL " | fillnull count | stats sum(count) by FILENAME,EMAIL

 

 Thanks
Kamlesh Vaghela

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-11-2020 01:07 AM

@rahul0621 

I have change the approach for your requirement. May me useful for you. Can you please try below search?

 

| inputlookup test.csv | eval fname = FILENAME | map search="index=* host=* source="/bustools/*" | rex max_match=100 "\d+\d+\s(?<ts>.*)\s(?<directory>\/.*)\/(?<fname>.*)" | dedup fname | search fname="$fname$" | stats count by fname | appendcols [ | makeresults |eval FILENAME="$FILENAME$",EMAIL="$EMAIL$"] | filldown FILENAME EMAIL " | fillnull count | stats sum(count) by FILENAME,EMAIL

 

Note:

 

This is my Sample Search in case you want to trace logic:

| makeresults | eval FILENAME="splunk_*",EMAIL="test1@a.com" | append [ | makeresults | eval FILENAME="splunkd_*",EMAIL="test2@a.com"] | append [ | makeresults | eval FILENAME="splunks_*",EMAIL="test3@a.com"] | table FILENAME EMAIL | rename comments as "This is lookup data" | eval fname = FILENAME | map search="search index=_internal | rename sourcetype as fname | dedup fname | search fname="$fname$" | stats count by fname | appendcols [ | makeresults |eval FILENAME="$FILENAME$",EMAIL="$EMAIL$"] | filldown FILENAME EMAIL " | fillnull count | stats sum(count) by FILENAME,EMAIL

 

 Thanks
Kamlesh Vaghela

0 Karma
Reply
Solved! Jump to solution

rahul0621
Explorer
‎06-11-2020 01:15 PM

@kamlesh_vaghela  I had to tweak it a bit but this approach worked perfectly. Thanks a lot for your quick help.

0 Karma
Reply
Get Updates on the Splunk Community!

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...