Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Event from ID in a lookup

Oaknoy
New Member
‎12-16-2019 08:27 AM

Hello everybody ! probably this is a very easy thing to do, however I'm struggling here as my experience in splunk is very limited.

So I have a lookup table with the newly created ID in Cloudfront that updates biweekly as below:

ID Time
E1G0rS2CXF0DMJ 2019-12-161213:34:19Z
EZZ9D48580D6N 2019-12-161213:32:49Z
E2CNDYMBrP0JEL 2019-12-161213:31:25Z
E9858L1YVLNGBV 2019-12-161213:30:01Z
12VS98N9858JPVI 2019-12-161213:28:36Z
12C0PJH02J958ZG 2019-12-161213:27:10Z
E1VR8CB8YGL001 2019-12-161213:25:48Z

So what I want to do is using the ID stored in the lookup, I'd like to verify whether protection has been applied to those newly created distributions by correlating with below event name, and output the ones that protection was not applied.

index=test eventName=CreateProtection

Thank you in advance !

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-16-2019 08:34 AM

Hi @Oaknoy,
let me understand: do you want to search in the test index all the IDs that are in the lookup or what else?
if this is what you want, you can run something like this:

index=test eventName=CreateProtection [ | inputlookup my_lookup.csv | fields ID ]
| ...

if instead you want to use the other fields of the lookup, you could run something like this:

index=test eventName=CreateProtection 
| lookup my_lookup.csv ID OUTPUT other fields
| ...

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-16-2019 08:34 AM

Hi @Oaknoy,
let me understand: do you want to search in the test index all the IDs that are in the lookup or what else?
if this is what you want, you can run something like this:

index=test eventName=CreateProtection [ | inputlookup my_lookup.csv | fields ID ]
| ...

if instead you want to use the other fields of the lookup, you could run something like this:

index=test eventName=CreateProtection 
| lookup my_lookup.csv ID OUTPUT other fields
| ...

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

Oaknoy
New Member
‎12-16-2019 09:04 AM

Hi Giuseppe,

Thanks a lot for your help !

What I want to do is using those ID stored in a lookup ( this lookup stores all the newly created ID) check if an specific event ( in this case, CreateProtection) has been applied to those IDs.

So, for instance, I want to verify if there's an event CreateProtection for E1G0rS2CXF0DMJ which is a newly created ID in order to know the unprotected IDs without having to create two different queries.

Thanks again !

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-16-2019 09:22 AM

Hi @Oaknoy,
ok, using the first search you have all the events that match with the IDs of the lookup.

Beware only to one point: the key field (ID) must have the same name both in lookup and in search (field name must be the same and is case sensitive), in other words, check that the ID field (written exctly in the same way) is extracted in the search.

If this answer solves your need, please accept and/or upvote it, otherwise, please share more infos to help you.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...