Splunk Search

values from lookup are not filled into map

Deniz_Oe
Explorer

Hey!

 

So I have been trying to use inputlookup on a long CSV list of addresses to perform a search for each adress. I came up with the following: 

 

 

| inputlookup voucher_numbers.csv
| table voucher
| map search="search index=lgt_coms_prod OR index=lgt_mw_*_prod $voucher$
| table eventtype,$voucher$"

 

 

It returns all the eventtypes I want, but I loose the information of which address (or voucher) was used for getting each of them. So I ideally want something like this:

Voucher = SomeVoucher, Eventtype= a,b,c,d

 

But I only get the Eventtype bit.

 

Edit:

I tried the following but it didn't work:

| inputlookup voucher_numbers.csv
| table voucher
| map search="search index=lgt_coms_prod OR index=lgt_mw_*_prod $voucher$|where NOT isnull(eventtype)
| eval voucher = $voucher$| table voucher, eventtype"

Also when I put $voucher$ in double quotes, it just keeps filling the new voucher field with blanks. 

Any Idea?

Labels (3)
0 Karma
1 Solution

Deniz_Oe
Explorer

For anyone with the same problem, I solved it with:

| inputlookup voucher_numbers.csv
| table voucher
| map search="search index=lgt_coms_prod OR index=lgt_mw_*_prod $voucher$|where NOT isnull(eventtype)
| eval voucher = \"$voucher$\" | table voucher, eventtype"

View solution in original post

0 Karma

Deniz_Oe
Explorer

For anyone with the same problem, I solved it with:

| inputlookup voucher_numbers.csv
| table voucher
| map search="search index=lgt_coms_prod OR index=lgt_mw_*_prod $voucher$|where NOT isnull(eventtype)
| eval voucher = \"$voucher$\" | table voucher, eventtype"
0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...