topic Re: Problem while joining in Splunk Search

Problem while joining

nilaksh92 — Mon, 08 May 2017 10:34:27 GMT

Hi everyone

Need your kind help.

I have 50+ fields under index='abc'

i want to join the same with a lookup which has 5 fields but name of field on the basis of what i am trying to join is different.

I am trying following query

index="abc" sorce_type="xyz" | join fieldA [ inputlookup abcdef | rename fieldX as fieldA]

Please help me out.

Thanks in advance.
Nikks

Re: Problem while joining

DalJeanis — Mon, 08 May 2017 16:33:14 GMT

Looks fine to me, other than misspelling sourcetype.

Try this and see what happens -

index="abc" sourcetype="xyz" 
| join type=left fieldA [ inputlookup abcdef.csv | rename fieldX as fieldA ]
 | table fieldA ... some sample fields from main search... the fields from the lookup table... 
| fillnull value="((none))"

Then the records that have all the lookup values set to ((none)) are the ones where no matching value for fieldA was found in fieldX.

Re: Problem while joining

briancronrath — Mon, 08 May 2017 21:39:59 GMT

since you are doing an inputlookup, you need a | character as the first part of that subsearch. If I were you though since you are using a lookup table to join the data, why not just use he "lookup" command itself? You could just do:
index="abc" source_type="xyz" | lookup abcdef fieldX as fieldA