9/25/2023 0 Comments Splunk inputlookup![]() ![]() Geostats table example in Splunk 6.x Dashboard Examples app also uses a lookup table to map States to their geocoodinates (present in the lookup table). Splunk Search reference will be a good place to read and try out some examples: Your subsearch is in the first pipline, ensure your inputlookup search returns fields or you will never get any results, simplify your request for testing. Index="foo" sourcetype="bar" field1="Yes"| eval field2=field3 | lookup statscode field2 | table field1, field2, field3. Hi, When using inputlookup you should use 'search' instead of where, in my experience i had various trouble using where command within inputlookup, but search always worked as expected. Rename field3 as field2 (assuming field2 is present in lookup table) and join to lookup table statscode field2 through lookup command. Like any relational DB joins you will have to ensure that the field name from SPL Search matches that present in the lookup table (you can easily perform this by eval or rename).įor example if you have lookup file added statscode.csv and you created a lookup field statscode, you can try the following:ġ) Run following to see content of lookup file(also ensure that it is correct and accessible) |inputlookup statscodeĢ) Run the Splunk search on index (assuming field1 and field3 are the fields from index being searched). ![]() inputlookup list250k rename ipcidr as ip eval convertiptostring (ip) lookup list65k ipcidr AS convertip OUTPUT ipcidr, list where isNotNull (ipcidr) rename ipcidr as foundin. Lookup files serve as a table with foreign key which can be joined via Splunk search over a particular index. In '250k' row lookup is only IP while in second one are IP CIDR+LIST.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |