Solved: how to use inputlookup and lookup together to filt...

matthewb4 · ‎09-18-2017

I have a lookup abc.csv with the following values...

**header1, header2**
value1a, value2a
value1b, value2b
value1c, value2c
value1d, value2d

I have a base query that I need to first filter a fieldX by only values contained in the lookup abc.csv header1 column. I understand that I can do this using something like, "[ | inputlookup abc.csv | fields fieldX]" but there are two problems here...

my splunk fieldX does not have the same name as header1 (and I would like to keep them different).
I need to use this lookup command after using several other pipes already, not directly after the base search query (this is because I have to first regex a different field to create the proper mapping values for fieldX)

Once the events are filtered, I need use the same lookup file abc.csv to output a new field with the values in header 2.

Correct me if I'm wrong but I believe i have to do it this way because it won't let me just use the lookup command (and forego inputlookup altogether) as most of the values in fieldX aren't present in header1 and i get this error... ** "Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table" **

DalJeanis · ‎09-18-2017

I don't say this much, but altogether, it looks like this is a candidate for join.

 "MY SEARCH" 
 | eval splitField=split(fieldA,"-") 
 | eval temp=lower(mvindex(splitField,0)) 
 | rex field=temp "service:(?<fieldX>.*)" 
 | join fieldX [|inputlookup abc.csv | rename header1 as fieldX ]

View solution in original post

DalJeanis · ‎09-18-2017

I don't say this much, but altogether, it looks like this is a candidate for join.

 "MY SEARCH" 
 | eval splitField=split(fieldA,"-") 
 | eval temp=lower(mvindex(splitField,0)) 
 | rex field=temp "service:(?<fieldX>.*)" 
 | join fieldX [|inputlookup abc.csv | rename header1 as fieldX ]

matthewb4 · ‎09-19-2017

hey that worked, thank you

somesoni2 · ‎09-18-2017

You get option to rename lookup field names with inputlookup/lookup command use.
E.g. for inputlookup as filter

[ | inputlookup abc.csv | table header1 | rename header1 as fieldX ]

and for lookup

your search | lookup abc.csv header1 as fieldX OUTPUT header2 as newFieldNameThatYouWant

I would suggest reading lookup command documentation to learn more about lookup command, it's syntax and available options.

matthewb4 · ‎09-18-2017

I'm not sure this will work for me as I don't have fieldX correctly 'configured' until several pipes after the base search query (As follows)...

"MY SEARCH" | eval splitField=split(fieldA,"-") | eval temp=lower(mvindex(splitField,0)) | rex field=temp "service:(?<fieldX>.*)" | ........

If I try to insert the lookup command after the last pipe above I get the following error "Subsearches are only valid as arguments to commands"

Also, does the above inputlookup syntax you mentioned actually filter out filedX values not contained in header1? What does the 'table' portion do, I feel like it is not intuitive after looking through http://docs.splunk.com/Documentation/Splunk/6.3.5/SearchReference/Inputlookup

how to use inputlookup and lookup together to filter events and then output a new field with value mappings

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases