Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Compare field with column of lookup table

giorgioanastasi
Explorer
‎11-28-2021 12:45 PM

Hi all, I have this need, compare a field with a series of error codes. I would not like to write in the search, any error codes, but I would like to use a lookup table. I then entered the error codes in a column (Name = Errors) of the table, but when i  perform the search, they are not compared correctly.

In the column, for example, is present: login.error.1004

In the search: tag = Log | lookup ServiziApp.csv ServiceName AS Service | search Functionality = "Access" errorCode! = Errors

But the lines despite having a field = login.error.1004, are displayed. Checking the extracted fields, the errorCode field contains login.error.1004 and the Errors field also contains login.error.1004.

Thanks in advance

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-29-2021 02:17 AM

OK, there's the issue - the lookup will not perform a wildcard match for the event error code against any value in the column from the lookup. You can make the lookup support wildcards, but what you actually want here is multiple values, so I suggest that you make a new row in the lookup for each error code you want 

In that case, the in() logic will work when you do the lookup, as all the errorcodes from the lookup file matching the service you are looking for, will be returned as a multi-value field and then the in() can find it.

 

View solution in original post

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎11-28-2021 01:26 PM

Firstly, the search command does not compare field against field, so the 

errorCode! = Errors

is actually looking for the text Errors in the errorCode field.

replace the search with

| where Functionality="Access" AND !match(errorCode, Errors)

however,  do you have the same ServiceName more than once in the lookup file. If so, then you will have Errors as a multi value field, and you would have to use something like 

| where !in(errorCode, Errors)

for that case.

 

Reply
Solved! Jump to solution

giorgioanastasi
Explorer
‎11-29-2021 02:12 AM

Hi Bowesmana and thanks for the response.

match work correctly with one error code, if i add other error codes in the lookup table, !IN(errorCode, Errors) does not work, i.e. the search does not filter these cases.

This is the contents of the lookup column:

login.error.E99999 login.error.10002

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-29-2021 02:17 AM

OK, there's the issue - the lookup will not perform a wildcard match for the event error code against any value in the column from the lookup. You can make the lookup support wildcards, but what you actually want here is multiple values, so I suggest that you make a new row in the lookup for each error code you want 

In that case, the in() logic will work when you do the lookup, as all the errorcodes from the lookup file matching the service you are looking for, will be returned as a multi-value field and then the in() can find it.

 

Reply
Solved! Jump to solution

giorgioanastasi
Explorer
‎11-29-2021 10:07 PM

Thanks again, adding the error codes on multiple lines works

Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...