use inputlookup to get data

sarit_s · ‎06-01-2020

Hello
I'm running this query:

index=prod eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared"
| transaction maxpause=2s maxspan=1s maxevents=5
| eval max_time=(duration + _time)
| eval min_time=(_time)
| rename kafka_uuid as uuids
| where eventcount!=5
| table  eventtype ,min_time, max_time,tail_id,uuids
| eval eventtype="csm_dhcp_anomaly"

now i have csv file and i want to read the "eventtype" parameters from there. how can i call inputlookup ?
all of my tries didn't work..

thanks

493669 · ‎06-01-2020

Use lookup command like-

...|lookup  <yourlookup name> <fields using you are joining> <output field names>

ref-https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/Lookup

sarit_s · ‎06-01-2020

thanks
is it possible to group all the fields to one ?
for example, in this query i have 5 different eventtypes. if im running "|table eventtype" im getting all the 5.. if im running it from the lookup file i have each eventtype in different parameter.
is it possible to group them all ?

use inputlookup to get data

eval

lookup

table

transaction

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!