Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to list matches of a search using lookup values

dugalle
New Member
‎01-17-2020 01:02 AM

Hi!

I have create a search that uses a dynamic lookup to find events in some index looking at the raw:

...................
Lookup.csv
...................
id value
.. ..........
1 one
2 two
3 three

....................................
sample-index Events
....................................
2020-01-17 11:42:37 Sample event one
2020-01-17 11:42:33 Sample event five
2020-01-17 11:42:31 Sample event two

Query:

index=sample-index
[
| inputlookup Lookup.csv
| table value
| rename value as search | format
]
| table _time , _raw

It works fine and returns the Event 1 and 3 but I want to list the values of the lookup that has matched the events (in this case it should return "one" and "two"). I think that it should be done counting the matches of all the values of the lookup in the results but I don't know how to do it. The csv is generated every day so I can't put the values on the query.

Do you have any idea how to do it?

Thanks!

Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎01-17-2020 02:33 AM

UPDATED:
e.g.

| makeresults 
| eval _raw="time,raw
2020-01-17 11:42:37,Sample event one
2020-01-17 11:42:33,Sample event five
2020-01-17 11:42:31,Sample event two" 
| multikv forceheader=1 
| rename raw as _raw 
| rename time as _time 
| table _time _raw 
    `comment("this is sample your provide")` 
| appendpipe
    [| makeresults 
    | eval _raw="id value
1 one
2 two
3 three" 
    | multikv forceheader=1 
    | table id value
        `comment("this is sample as | inputlookup Lookup.csv")`
    | table value ]
| eventstats values(*) as *
| stats values(_raw) as raw by value
| where match(raw,value)
| table value

Recommend:

index=sample-index
| table _raw
| appendpipe [|inputlookup Lookup.csv
| table value]
| eventstats values(*) as *
| stats values(_raw) as raw by value
| where match(raw,value)
| table value

How about this?

0 Karma
Reply

dugalle
New Member
‎01-17-2020 03:29 AM

Hi! the field check appears always as "Null" 😞

Regarding to the table, that info is a sample of the "sample-index" events.

Thanks!

0 Karma
Reply

TISKAR
Builder
‎01-17-2020 01:20 AM

Hi @dugalle:

Can you try by lookup command like this:

index=sample-index
| lookup Lookup.csv value as search OUTPUTNEW value 
| where !isnull(value)
| table _time , _raw
0 Karma
Reply

dugalle
New Member
‎01-17-2020 03:08 AM

Hi, i have tried it and doesn't work 😞

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...