Hi there,
I'm going to assume your calculated field is using stats
or eval
? - For a better answer, tailored to your issue, it is always best to show the search being used (even if some values are omitted for security reasons).
After you have your "calculated" fields, you may want to rename the fields to a simple format, e.g.
.. | rename count(somefield) AS countSomeField
OR
.. | rename "Some Crazily Formatted_Field(!&$(" AS someField
I have had some issues with fields not looking up properly, but worked once I changed the name being used. As I said to help us help you, please paste in your search and the header row of the CSV file please.
You can also check that Splunk has accepted your lookup configuration by running the following search (replacing the tag as to your needs):
| inputlookup <yourLookupName>
NOTE: The "|
" (pipe) should be the first character typed as this is a special search command.
UPDATE: Based on your example...
So to clarify, your CSV has the following header:
pages,modulename
And you wish to link the pages
field from your lookup to the extracted module
field from your search (as you detailed it as Linkingfield) ? If so try the following:
host="hostname"
| rex field=msg "(GET:w+://[^)]+/(?<module>[^)]+.(xap|aspx))"
| lookup <yourLookupFile> page AS module OUTPUT modulename
| table _time host module modulename
You should check out the documentation also... http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsfromexternaldatasources
Hope this helps,
Yes Chayya, it's possible. But you need to mention a common field data for both the lookup table and output data from query.
Further you need to mention the lookup definition as |inputlookup will not work in the middle of the query. You will definitely get the output if the data matches the lookup table data, your case will workout very well.
That's cool.
Agreed, edited my comment
That's not entirely true, you can reference fields when doing the lookup, e.g. someField AS someOtherField.
Hi there,
I'm going to assume your calculated field is using stats
or eval
? - For a better answer, tailored to your issue, it is always best to show the search being used (even if some values are omitted for security reasons).
After you have your "calculated" fields, you may want to rename the fields to a simple format, e.g.
.. | rename count(somefield) AS countSomeField
OR
.. | rename "Some Crazily Formatted_Field(!&$(" AS someField
I have had some issues with fields not looking up properly, but worked once I changed the name being used. As I said to help us help you, please paste in your search and the header row of the CSV file please.
You can also check that Splunk has accepted your lookup configuration by running the following search (replacing the tag as to your needs):
| inputlookup <yourLookupName>
NOTE: The "|
" (pipe) should be the first character typed as this is a special search command.
UPDATE: Based on your example...
So to clarify, your CSV has the following header:
pages,modulename
And you wish to link the pages
field from your lookup to the extracted module
field from your search (as you detailed it as Linkingfield) ? If so try the following:
host="hostname"
| rex field=msg "(GET:w+://[^)]+/(?<module>[^)]+.(xap|aspx))"
| lookup <yourLookupFile> page AS module OUTPUT modulename
| table _time host module modulename
You should check out the documentation also... http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsfromexternaldatasources
Hope this helps,
Hi,
I want to restrict my regex to first match how can i do that?
search
host="hostname" | rex field=msg "(GET:\w+://[^)]+/(?
i want to do lookup on module field extracted in rex
fields in lookup file are
pages(linkingfield) and modulename