I have a lookup abc.csv with the following values...
**header1, header2**
value1a, value2a
value1b, value2b
value1c, value2c
value1d, value2d
I have a base query that I need to first filter a fieldX by only values contained in the lookup abc.csv header1 column. I understand that I can do this using something like, "[ | inputlookup abc.csv | fields fieldX]" but there are two problems here...
my splunk fieldX does not have the same name as header1 (and I would like to keep them different).
I need to use this lookup command after using several other pipes already, not directly after the base search query (this is because I have to first regex a different field to create the proper mapping values for fieldX)
Once the events are filtered, I need use the same lookup file abc.csv to output a new field with the values in header 2.
Correct me if I'm wrong but I believe i have to do it this way because it won't let me just use the lookup command (and forego inputlookup altogether) as most of the values in fieldX aren't present in header1 and i get this error... ** "Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table" **
... View more