Splunk Search

splunk lookup

Siddharthnegi
Contributor

I want to show lookup file content horizontally.

eg:-
rather than this

panels
a
b
c

I want

panels a b c    OR         a b c

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Try this

| inputlookup your_lookup.csv
| stats values(panels) as panels
| eval panels=mvjoin(panels, " ")

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

Try this

| inputlookup your_lookup.csv
| stats values(panels) as panels
| eval panels=mvjoin(panels, " ")

Siddharthnegi
Contributor

Thanks for the quick response  i want it horizontally which it is showing thanks to you , but i want to display all the content in a table can we do that

0 Karma

bowesmana
SplunkTrust
SplunkTrust

You can do this

| inputlookup panels.csv
| transpose 0

what do you want the column headings to be?

That will give you columns called row 1, row 2, row 3 and so on with the values found.

 

bowesmana
SplunkTrust
SplunkTrust

You can also add this on the end of that previous post

which will make the column name the value of the panel and the value of the column=1

| foreach row* [ eval {<<FIELD>>}=1 ]
| fields - row*

Siddharthnegi
Contributor

the result coming is

Panels
Blacklisted Software Exceptions Clients missing critical updates Clients with blacklisted Software Clients with old Defender patterns Critical severity vulnerabilities Defender enrollment status High severity vulnerabilities Local virtual machines Outdated operating systems - Endpoint Outdated operating systems - Unknown Outdated operation systems - Server Servers with blacklisted Software Systems not found in patch management database Total Installed blacklisted Software Vulnerabilities solved

but I want all the result  in different section of table

0 Karma

Siddharthnegi
Contributor

is there table virualization in splunk

0 Karma

bowesmana
SplunkTrust
SplunkTrust

There is a table visualisation in Splunk and when you run that command you are getting a table visualisation.

Perhaps you can describe your data better, because you are clearly looking for something different than just panels a b c.

Your post describing this 

Panels
Blacklisted Software Exceptions Clients missing critical updates Clients with blacklisted Software Clients with old Defender patterns Critical severity vulnerabilities Defender enrollment status High severity vulnerabilities Local virtual machines Outdated operating systems - Endpoint Outdated operating systems - Unknown Outdated operation systems - Server Servers with blacklisted Software Systems not found in patch management database Total Installed blacklisted Software Vulnerabilities solved

doesn't actually tell me anything useful - can you describe your lookup data, what it contains and give a better description of how you want the data to look in your table.

 

0 Karma

Siddharthnegi
Contributor

yeah sure
i have a lookup called panels.csv ,

Panels

Critical severity vulnerabilities
High severity vulnerabilities
Vulnerabilities solved
Local virtual machines
Outdated operation systems - Server
Outdated operating systems - Endpoint
Outdated operating systems - Unknown
Defender enrollment status
Clients with old Defender patterns
Systems not found in patch management database
Clients missing critical updates
Servers with blacklisted Software
Clients with blacklisted Software
Total Installed blacklisted Software
Blacklisted Software Exceptions


i want to display them horizontally , which i was using your given search , but the result is coming in this pattern

Blacklisted Software Exceptions Clients missing critical updates Clients with blacklisted Software Clients with old Defender patterns Critical severity vulnerabilities Defender enrollment status High severity vulnerabilities Local virtual machines Outdated operating systems - Endpoint Outdated operating systems - Unknown Outdated operation systems - Server Servers with blacklisted Software Systems not found in patch management database Total Installed blacklisted Software Vulnerabilities solved

i want to display it like this but want to have sections of each content just like table

0 Karma

bowesmana
SplunkTrust
SplunkTrust

As @yuanliu says, my queries give you a table - if you are indicating the table does not come back in the order the panels are defined in the CSV, that's unfortunately a feature of Splunk.

You can add this final line to order the columns as per the CSV

| fields [ | inputlookup panels.csv | eval Panels="\"".Panels."\"" | stats list(Panels) as Panels | return $Panels ]

yuanliu
SplunkTrust
SplunkTrust

I cannot understand why you say you are not getting a "table".  Using the lookup sample you gave and the two code samples @bowesmana gave, these are results from my instance

1. Transpose alone

transpose.png

2. Transpose + foreach

transpose+foreach.png

Both are just like table.  Are they not?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...