Splunk Search

Compare field with column of lookup table

giorgioanastasi
Explorer

Hi all, I have this need, compare a field with a series of error codes. I would not like to write in the search, any error codes, but I would like to use a lookup table. I then entered the error codes in a column (Name = Errors) of the table, but when i  perform the search, they are not compared correctly.

In the column, for example, is present: login.error.1004

In the search: tag = Log | lookup ServiziApp.csv ServiceName AS Service | search Functionality = "Access" errorCode! = Errors

But the lines despite having a field = login.error.1004, are displayed. Checking the extracted fields, the errorCode field contains login.error.1004 and the Errors field also contains login.error.1004.

Thanks in advance

Labels (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

OK, there's the issue - the lookup will not perform a wildcard match for the event error code against any value in the column from the lookup. You can make the lookup support wildcards, but what you actually want here is multiple values, so I suggest that you make a new row in the lookup for each error code you want 

In that case, the in() logic will work when you do the lookup, as all the errorcodes from the lookup file matching the service you are looking for, will be returned as a multi-value field and then the in() can find it.

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

Firstly, the search command does not compare field against field, so the 

errorCode! = Errors

is actually looking for the text Errors in the errorCode field.

replace the search with

| where Functionality="Access" AND !match(errorCode, Errors)

however,  do you have the same ServiceName more than once in the lookup file. If so, then you will have Errors as a multi value field, and you would have to use something like 

| where !in(errorCode, Errors)

for that case.

 

giorgioanastasi
Explorer

Hi Bowesmana and thanks for the response.

match work correctly with one error code, if i add other error codes in the lookup table, !IN(errorCode, Errors) does not work, i.e. the search does not filter these cases.

This is the contents of the lookup column:

login.error.E99999 login.error.10002

Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

OK, there's the issue - the lookup will not perform a wildcard match for the event error code against any value in the column from the lookup. You can make the lookup support wildcards, but what you actually want here is multiple values, so I suggest that you make a new row in the lookup for each error code you want 

In that case, the in() logic will work when you do the lookup, as all the errorcodes from the lookup file matching the service you are looking for, will be returned as a multi-value field and then the in() can find it.

 

giorgioanastasi
Explorer

Thanks again, adding the error codes on multiple lines works

Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...