Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me with a lookuptable question?

adabud6267
Explorer
‎01-09-2019 07:44 AM

Hello all,

I have indexed data that contains an extracted field (domain) and a CSV (https.csv) file with the following headers URL,IP,Location_Code,Location_Name. I'd like to return ONLY events that concern the domains in the CSV files. 

| lookup https URL as domain OUTPUT IP, Location_Code, Location_Name

Would the above return only the events where the domain fields values match the values under the URL header in my CSV file?

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-09-2019 08:09 AM

Hi adabud6267,
try something like this:

index=domain [ | inputlookup https | rename URL as domain | fields domain ]
| ...

beware that the field name (domain) must be the same in main search and subsearch.

If you want to run the search with a substring of URL field, you have to extract it using substr function or a regex.

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-09-2019 08:09 AM

Hi adabud6267,
try something like this:

index=domain [ | inputlookup https | rename URL as domain | fields domain ]
| ...

beware that the field name (domain) must be the same in main search and subsearch.

If you want to run the search with a substring of URL field, you have to extract it using substr function or a regex.

Bye.
Giuseppe

Reply
Solved! Jump to solution

adabud6267
Explorer
‎01-22-2019 12:06 AM

Hello @cusello

Thank you for your answer! It works. Please tell me on thing.

will www.domain-foo.com match domain-foo.com ?

Also it appears, that I cannot use the fields from the csv file as I would do it with the lookup command. I'd like to add a column containing the city code from the CSV file if a domain match is found.

Thank you and I appreciate your help !

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-23-2019 05:53 AM

To match a substring, you can use "*" at the beginning and the end of the string in you search.
Otherwise, in you search you can use

index=domain [ | inputlookup https | rename URL as query | fields query ]
| ...

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-22-2019 05:37 AM

@adabud6267 If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...