![]() ![]() Splunk permits you to use reverse lookup searches, meaning you can search for the output value of an automatic lookup and Splunk can translate that into a search for the corresponding input fields of the lookup. You need to search for events based on the output of a lookup table. Go to Manager >Lookups > Lookup Definition > mylookup, select the Advanced options checkbox, and make the following changes: Set Minimum matches: 1 Using automatic lookups, there’s a setting for that. Using an explicit lookup, you can simply use the eval coalesce function: … | lookup mylookup ip | eval domain=coalesce(domain,”unknown”) You need a default field value if an event’s value is not in the lookup table. For example, … |outputlookup mytable.csv saves all the results into mytable.csv. This command outputs the current search results to a lookup table on disk. You might wonder how to create a lookup table. For example,… | inputlookup mylookup returns a search result for each row in the table mylookup, which has two field values: host and machine_type. This command returns the whole lookup table as search results. Automatic lookups, which are set up using Splunk Manager, match values implicitly. Using the lookup command matches values in external tables explicitly. For example, an event with a host field value and a lookup table that has a host and machine_type rows, specifying …| lookup mylookup host adds the machine_type value corresponding to the host value to each event.īydefault, matching is case-sensitive and does not support wildcards, but you can configure these options. lookupįor each event, this command finds matching rows in an external CSV table and returns the other column values, enriching the events. These recipes extensively use three lookup search commands: lookup, inputlookup, and outputlookup. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |