topic Re: Check field against two lookup tables in Splunk Search

Check field against two lookup tables

mkarimi17 — Wed, 30 Sep 2020 00:07:32 GMT

I have two lookup tables that may contain the hostname of an IP address

| lookup cmdb_ci_server_lookup ip_address as src output fqdn as orig_host
| lookup lansweeper_assets_lookup IPAddress as src output AssetName as orig_host

However, if AssetName in lansweeper_assets_lookup is null, the output of orig_host will be null as well. I know I can assign them different names and do an eval to combine but was hoping to get a more elegant way. any ideas?

Re: Check field against two lookup tables

cmerriman — Wed, 30 Sep 2020 00:12:03 GMT

what exactly is the goal? to join cmdb_ci_server_lookup to lansweeper_assets_lookup by ip_address/IPAddress and fill the null values of AssetName/orig_host from lansweeper_assets_lookup?

Re: Check field against two lookup tables

somesoni2 — Wed, 30 Sep 2020 00:12:06 GMT

Which value takes precedence, once from lansweeper_assets_lookup OR one from cmdb_ci_server_lookup (assuming both returns value)?

Re: Check field against two lookup tables

mkarimi17 — Thu, 18 Apr 2019 20:18:56 GMT

the goal is to get the hostname from either lookup table. not looking to combine them, although maybe I should just do that in a different search

Re: Check field against two lookup tables

mkarimi17 — Thu, 18 Apr 2019 20:19:07 GMT

both should have the same data, so it doesn't really matter to me. but sometimes one is null and the other isn't

Re: Check field against two lookup tables

somesoni2 — Wed, 30 Sep 2020 00:12:14 GMT

Cool. So in your lookup command, you're using OUTPUT option to get orig_host, replace it with OUTPUTNEW.

If the OUTPUT clause is specified, the output lookup fields overwrite existing fields. If the OUTPUTNEW clause is specified, the lookup is not performed for events in which the output fields already exist.

So your queries will be like this

| lookup cmdb_ci_server_lookup ip_address as src outputnew fqdn as orig_host
| lookup lansweeper_assets_lookup IPAddress as src outputnew AssetName as orig_host

Re: Check field against two lookup tables

cmerriman — Thu, 18 Apr 2019 20:29:37 GMT

If you're just trying to bring in hostname and not combine the tables together, I'd use coalesce. I'd just do something like

|join src type=left [|inputlookup cmdb_ci_server_lookup|fields ip_address fqdn|rename ip_address as src] 
|join src type=left [|inputlookup lansweeper_assets_lookup |fields IPAddress AssetName|rename IPAddress as src]
|eval orig_host=coalesce(fqdn,AssetName)

Re: Check field against two lookup tables

mkarimi17 — Thu, 18 Apr 2019 21:32:14 GMT

ah! totally forgot about outputnew instead of output.

Re: Check field against two lookup tables

mkarimi17 — Thu, 18 Apr 2019 21:32:56 GMT

thanks but this is basically what I had and it's super long. outputnew did the trick!

Re: Check field against two lookup tables

woodcock — Sun, 21 Apr 2019 14:49:29 GMT

Click Accept on your answer and the UpVote anything else that was useful.