Hi Mayur, Thanks for your response, As per my question I have a src field in raw data and I have a server_ip column (only one column) in csv lookup Now I would like to configure the search query which will return the list of servers matching from lookup table to raw_field's servers value based on the given Event_Code. I will be thankful if you can suggest here. Thanks, ... View more

I thank you for all of your inputs and help!! ... View more

Yes, its working. This is what I am looking for, Thank you very much. I truly appreciate your time and effort. I thank you for all of your help!! ... View more

Or is there any way to return only single matching raw event for each terms of csv lookup Example: we have thousands of terms in csv lookupup file. So can we return only single matching event for each word. i.e. thousand unique matching raw events with respect to csv lookup. Because above search query is returning millions of matching raw events. So its difficult figure out for every terms. I have used below search query, index=iot [| inputlookup transaction.csv | eval search=transaction_name | table search] | stats count by transaction_name Can we dedup events based on terms. So that it can return only one matching raw event per terms from CSV ... View more

Every event contains only one term. and there place is not specific. They can be appear anywhere in the event. We just want to check how many terms from lookup returning matching raw events. We want to list down those matching terms which are returning result as a output. ... View more

Above search query is returning the matching raw events. But there are millions of events to scroll down and browse next page is difficult every time. What we are looking for is to check each term from csv file whether any events contains term similar to csv lookup I am trying to get toutput as a table which contains list of all matching terms and exclude non matching terms of csv lookup. ... View more

I executed below one, index="iot" [ | inputlookup "transaction.csv" | return 10000 $transaction_name] | rex "transaction name: (?\S+)" | table transaction_name encountered error in regex... terms appearing in events are random they are not constant to any specific place Then I executed below query, index="iot" [ | inputlookup "tr.csv" | return 10000 $transaction_name] | table transaction_name it's returning blank table ... View more

I dont have any field in Splunk I want to do a text based search, I have below csv file which contains thousands of entries which I want to match with the events. Splunk dont have any field, trying to execute text based search Lookup table: transaction.csv transaction_name status result failed success report idle .... When I executed below query it is not returning any result, showing blank table index="iot" [ | inputlookup "transaction.csv" | table transaction_name | rename transaction_name as search ] | table transaction_name The above query didn't fetch any result. I am trying to display list of all matching terms in table format as a search output ... View more

I dont have any field in Splunk I want to do a text based search, I have below csv file which contains thousands of entries which I want to match with the events. Splunk dont have any field, trying to execute text based search Lookup table: transaction.csv transaction_name status result failed success report idle .... When I executed below query it is not returning any result, showing blank table index="iot" [ | inputlookup "transaction.csv" | table transaction_name | rename transaction_name as search ] | table transaction_name The above query didn't fetch any result. I am trying to display list of all matching terms in table format as a search output ... View more

I want Splunk to return the term which is matching with events. I want to see the output as list of terms matching with the events I have below events, 160701 09:57:32.322 (I 4) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] Workflow (FX we_WorkflowUpdate.c 272) Status returning by WSVCUpdateMilestone: 0 160701 09:57:32.322 (I 4) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] Workflow (FX we_WorkflowUpdate.c 272) Status returning by WSVCUpdateMilestone: 0 160701 09:57:32.266 (D 5) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] DBServerId (FX wf_Engine.c 659) Account server: 3 160701 09:57:32.266 (I 4) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] CallData (FX wf_Engine.c 701) CONTENT IN DEBUG FILE Now, I have a lookup table named transaction.csv having one column named, transaction_name it have N numbers of entries (1000 entries) follows: transaction_name WSVCUpdateMilestone Workflow DBServerId CallData I have executed below command but it is not showing list of matching terms as a search result. I am trying to see list of matching term in table format as a search result index="iot"[| inputlookup transaction.csv | eval search=transaction_name | table search] ... View more

Yes I want Splunk to return each term which is exist in the events I want to see list of all terms as a search result which are present in events. Events are as below, 160701 09:57:32.322 (I 4) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] Workflow (FX we_WorkflowUpdate.c 272) Status returning by WSVCUpdateMilestone: 0 160701 09:57:32.322 (I 4) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] Workflow (FX we_WorkflowUpdate.c 272) Status returning by WSVCUpdateMilestone: 0 160701 09:57:32.266 (D 5) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] DBServerId (FX wf_Engine.c 659) Account server: 3 160701 09:57:32.266 (I 4) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] CallData (FX wf_Engine.c 701) CONTENT IN DEBUG FILE Now, I have a lookup table named transaction.csv contains one colunm, transaction_name. transaction_name WSVCUpdateMilestone Workflow DBServerId CallData .... ... View more

My index name is iot which is generating number of events as below, index=iot Below are the few event samples from iot index and transaction values are given contained in transaction_name column from transaction.csv lookup table. trnsaction name: WSVCUpdateMilestone 160701 09:57:32.322 (I 4) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] Workflow (FX we_WorkflowUpdate.c 272) Status returning by WSVCUpdateMilestone: 0 transaction name: Workflow 160701 09:57:32.322 (I 4) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] Workflow (FX we_WorkflowUpdate.c 272) Status returning by WSVCUpdateMilestone: 0 transaction name: DBServerId 160701 09:57:32.266 (D 5) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] DBServerId (FX wf_Engine.c 659) Account server: 3 transaction name: CallData 160701 09:57:32.266 (I 4) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] CallData (FX wf_Engine.c 701) CONTENT IN DEBUG FILE Now, I have a lookup table named transaction.csv contains one colunm, transaction_name. The goal is to have Splunk go through the lookup table and match text in the column, transaction_name with the index iot. and return either matching or non-matching term Lookup table is "transaction.csv" having one column named, transaction_name it have N numbers of entries (1000 entries) follows: transaction_name WSVCUpdateMilestone Workflow DBServerId CallData .... These are thousands of transaction name contained in lookup table, we want to check whether index is returning any events containing above transaction value. Manually executing search query is difficult for thousands of entries like below, index="index_name" "transaction_name" This is why we want to use lookup which will go through index events and return list of either matching or non_matching transaction values from table. Any help would be great. I have tried the below: index=iot [|inputlookup transaction.csv | return transaction_name] But above search query is not returning any data, when I executed above query it returned no result found. ... View more

My index name is iot which is generating number of events as below, index=iot Below is the transaction value contained in transaction_name csv from transaction.csv lookup and events from iot index trnsaction_name: WSVCUpdateMilestone 160701 09:57:32.322 (I 4) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] Workflow (FX we_WorkflowUpdate.c 272) Status returning by WSVCUpdateMilestone: 0 transaction_name: Workflow 160701 09:57:32.322 (I 4) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] Workflow (FX we_WorkflowUpdate.c 272) Status returning by WSVCUpdateMilestone: 0 transaction_name: DBServerId 160701 09:57:32.266 (D 5) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] DBServerId (FX wf_Engine.c 659) Account server: 3 transaction_name: CallData 160701 09:57:32.266 (I 4) [:0x0 0x5774c746 0x49ce2b 0x28 0x0 0x0:N_MlIsMd] CallData (FX wf_Engine.c 701) CONTENT IN DEBUG FILE Now, I have a lookup table named transaction.csv contains one colunm, transaction_name. The goal is to have Splunk go through the lookup table and match text in the column, transaction_name with the index iot. and return either matching or non-matching term Lookup table is "transaction.csv" having one column named, transaction_name it have N numbers of entries (1000 entries) follows: transaction_name WSVCUpdateMilestone Workflow DBServerId CallData .... These are thousands of transaction name contained in lookup table, we want to check whether index is returning any events containing above transaction value. Manually executing search query is difficult for thousands of entries like, index="index_name" "transaction_name" This is why we want to use lookup which will go through index events and return list of either matching or non_matching transaction values from table. Any help would be great. I have tried the below: index=iot [|inputlookup transaction.csv | return transaction_name] But above search query is not returning any data, when I executed above query it returned no result found. ... View more

I would like to see either matching or non-matching transaction names returned by transaction_name column from transaction.csv file with respect to events in index. But above search query is not returning any data, when I executed above query it returned no result found. ... View more

II have a lookup table named transaction.csv contains one colunm, transaction_name. The goal is to have Splunk go through the lookup table and match text in the column named, transaction_name. and return a matching term Lookup table is "transaction.csv" having one column named, transaction_name it have N numbers of entries (1000 entries) follows: transaction_name status result failed success report idle .... Any help would be great. I have tried the below: index=index_name [| inputlookup transaction.csv | eval search=transaction_name | table search] Above search query not returning matching terms in table format. I would like to see output of matching terms(from csv file and events) in table format. ... View more