×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
tkiermaier_shel
New Member
Member since: ‎05-20-2020
‎06-10-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎05-20-2020
View All

Re: How to populate multiple fields from lookup cs...

by in Splunk Search
‎06-10-2020 08:40 PM
‎06-10-2020 08:40 PM
@richgalloway  so now that I have had a chance to get back to this issue I am not sure what I am doing wrong. I have tried using eventstats and the values arguments but I still have had no success ... View more

How to populate multiple fields from lookup csv in...

by in Splunk Search
‎05-20-2020 10:49 PM
‎05-20-2020 10:49 PM
Hi, I am needing to pull multiple fields from a lookup CSV into the results from a proxy search Primary search is: index=PROXY domain=example.com | transaction user maxspan=1m | stats count by user This gives me user - count SURNAME, FIRSTNAME - X(count) Next I have a lookup CSV containing an AD dump that I want to enrich the first search, *note the Nickname field follows the same format as the user field from the proxy results | fields user, Branch, Group, count | lookup AD_all_users.csv Nickname as user, Dep_Branch as Branch, Dep_Group as Group however when I run these searches together we get index=PROXY domain=example.com | transaction user maxspan=1m | stats count by user | fields user, Branch, Group, count | lookup AD_all_users.csv Nickname as user, Dep_Branch as Branch, Dep_Group as Group User - Branch - Group - count SURNAME,FIRSTNAME - NULL - NULL - X(count) anyone able to advise me of wat I have wrong? PS the lookup CSV has about 30 columns and I only need the 3 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-10-2020 09:11 PM