Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

lookup in the event

newbiesplunk
Path Finder
‎02-25-2015 04:22 PM

Hi,
If my event does not contain the user field, and i need to have the automatic lookup for the user info based on the user=1234 as the example below, what will be the approach? thks
2/26/15 10:03:30 AM 1.1.1.1 - 1234 xxxxx

Tags (1)
0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎02-26-2015 08:36 AM

Here is what I would do to get the data for the user (you will have to make appropriate substitutions that you want for your search):

<your-search-data> | rex field=_raw " \d+\.\d+\.\d+\.\d+\.\d+\s+-\s+(?P<user>[^ ]+" | lookup <lookuptablename> user OUTPUT fullname

where your lookuptablename table (csv) has data like this:

user,fullname
1234,John Doe
5678,Larry Bird
2468,Jack B Nimble

The rex command should get the user after the IP and dash (-). Then that is used to do the lookup in the table to get the user's fullname from the table. That fullname will then be found in the field fullname.

So you will have to tailor the CSV file with the proper names and fields (you can have more than one that is returned, so you could have more than 2 columns in the CSV file that you submit as the lookup table. If your data is far different from the example, you will have to make adjustments in the field extraction in the rex command as well.

satishsdange gives a good reference to understanding the lookup tables.

0 Karma
Reply

satishsdange
Builder
‎02-25-2015 08:40 PM

Hi -

You can create a lookup to enrich raw unstructured data with structured data. e.g. user1=1234, user2=3456
Below link provides information about creating lookup -
http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/Usefieldlookupstoaddinformationtoyoureve...

Hope this helps.

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎02-25-2015 04:26 PM

You say the event doesn't contain the user field, but then 1234 in your example is the user? Is 1234 the user or not?

Then you want to do an auto lookup of additional data for that user (which the user (1234) is actually in the event)? Right?

0 Karma
Reply

newbiesplunk
Path Finder
‎02-25-2015 11:38 PM

Hi, 1234 is the user found in the event but was not tag to the field "user".

0 Karma
Reply

markthompson
Builder
‎02-26-2015 01:02 AM

I can see where @cpetterborg is coming from, the question is not that easy to understand. Would you mind clarifying what you're attempting to do?

From what I can gather, you want the "1234" as shown in your example to be known as the User field, for which you would need a rex.

And then you want to look this up in a table?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...