| tstats to include data enrichment from a lookup

jacqu3sy · ‎06-20-2018

Hi,

How can I use a tstats search, to match against a result and then OUTPUT additional content from the lookup where the match is seen?

Tried variations on the following to no avail.

| tstats count WHERE index=bla sourcetype=bla by dest | lookup bad_ip.csv bad_host AS dest | OUTPUT dest, country, lat, lon, dateadded

Thanks!

woodcock · ‎06-30-2018

This is very straight-forward so perhaps you are not including all the details. This should work:

| tstats count WHERE index=bla sourcetype=bla by dest
| lookup bad_ip.csv bad_host AS dest OUTPUT dest, country, lat, lon, dateadded
| where isnotnull(dest)

DalJeanis · ‎06-20-2018

Assuming that everything after OUTPUT is a list of fields that are in bad_ip.csv, and the field bad_host in the csv is in the same data format as the field dest, then just get rid of the unnecessary pipe between dest and OUTPUT, and list only the output fields you want. (Dest is unneeded).

| tstats count WHERE index=bla sourcetype=bla by dest 
| lookup bad_ip.csv bad_host AS dest OUTPUT country, lat, lon, dateadded

https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Lookup

jacqu3sy · ‎06-21-2018

Didnt work. It just pulls back every dest value seen within the index / sourcetype. I only want to pull back dest values where it matches a value in the csv.

| tstats to include data enrichment from a lookup

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!