Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to match search with KV lookup files?

kiranpatil1985
New Member
‎03-13-2019 06:17 PM

Hello,
I have a KV file that is auto generated with username using a script running every hour. I want to match the username in the KV file with a different index search. I have written the following query but it is always stuck on "Parsing Job". The index contains a user column. The output should be the username that is common in both user table.

index=abc
| search [| inputlookup Leaver_Lookup.kv | fields "User ID" | rename "User ID" as user | dedup user | table user ]
0 Karma
Reply

HiroshiSatoh
Champion
‎03-13-2019 10:00 PM

Is LOOKUP defined?

| inputlookup <lookup-name> where <eval-expression> | ...

Is this search working?

| inputlookup Leaver_Lookup.kv | fields "User ID" | rename "User ID" as user | dedup user | table user
0 Karma
Reply

kiranpatil1985
New Member
‎03-13-2019 11:28 PM

Yes that search works.

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...