Solved: Internal lookup

mrdaniel · ‎04-15-2011

I need to do a lookup on search result with data from splunk internal. I have a log which logs when a user login and what PID that user get assigned to such as:

PID: 2938 [DATE]

22: Command [username]

In the same log the actions the user takes during the session is logged with the following format:

PID: 2938 [DATE]
22: Command [custom data]

Now i would like to generate an report using this data and translate the PID to a username using lookup. The result would be a table with Username, PID and Command.

When i search for lookup information i can find that i can do lookups from scripts or CSV files, not from Splunk queries, is it possible to do such query?

ziegfried · ‎04-15-2011

You could either use the join or transaction command to combine the metadata of 2 searches.

Or use stats to aggregate the information on a unqiue key:

<search maching both events> | stats first(Command) as Command first(Username) as Username by PID

Another, more complicated option is to write a scripted lookup or a command which can execute searches in Splunk. But I don't think this is necessary.

View solution in original post

mrdaniel · ‎04-19-2011

Thanks i had to modify this a bit as there are more than one Command, so I use

| stats list(Command) as Command first(Username) as Username by PID

ziegfried · ‎04-15-2011

You could either use the join or transaction command to combine the metadata of 2 searches.

Or use stats to aggregate the information on a unqiue key:

<search maching both events> | stats first(Command) as Command first(Username) as Username by PID

Another, more complicated option is to write a scripted lookup or a command which can execute searches in Splunk. But I don't think this is necessary.

Internal lookup

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor