- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
use inputlookup to get data
sarit_s
Communicator
06-01-2020
01:36 AM
Hello
I'm running this query:
index=prod eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared"
| transaction maxpause=2s maxspan=1s maxevents=5
| eval max_time=(duration + _time)
| eval min_time=(_time)
| rename kafka_uuid as uuids
| where eventcount!=5
| table eventtype ,min_time, max_time,tail_id,uuids
| eval eventtype="csm_dhcp_anomaly"
now i have csv file and i want to read the "eventtype" parameters from there. how can i call inputlookup ?
all of my tries didn't work..
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
06-01-2020
01:41 AM
Use lookup command like-
...|lookup <yourlookup name> <fields using you are joining> <output field names>
ref-https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/Lookup
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sarit_s
Communicator
06-01-2020
02:59 AM
thanks
is it possible to group all the fields to one ?
for example, in this query i have 5 different eventtypes. if im running "|table eventtype" im getting all the 5.. if im running it from the lookup file i have each eventtype in different parameter.
is it possible to group them all ?
