https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-results-of-one-lookup-with-a-second-lookup/m-p/610497#M212317 <P>I had a feeling I was overcomplicating it - thank you so much!</P> Tue, 23 Aug 2022 14:04:40 GMT mistydennis 2022-08-23T14:04:40Z https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-results-of-one-lookup-with-a-second-lookup/m-p/610385#M212256 <P>Hi all - I am trying to take one lookup and limit its results with another lookup.&nbsp; I can kinda get it to work with my current SPL, but it's taking a long time to run and the results don't come out as expected. Here's what I have so far:<BR /><BR /></P> <P>&nbsp;</P> <LI-CODE lang="markup">| inputlookup my_kvstore | lookup my_lookup lookupfield_1 AS kvstorefield_1 OUTPUT lookupfield_1 | lookup my_kvstore kvstorefield_1 AS lookupfield_1 OUTPUT kvstorefield_2, kvstorefield_3, kvstorefield_4, kvstorefield_5 | WHERE kvstorefield_1=lookupfield_1</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Results:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="16.666666666666668%" height="25px">kvstorefield_1</TD> <TD width="16.666666666666668%" height="25px">kvstorefield_2</TD> <TD width="16.666666666666668%" height="25px">kvstorefield_3</TD> <TD width="16.666666666666668%" height="25px">kvstorefield_4</TD> <TD width="16.666666666666668%" height="25px">kvstorefield_5</TD> <TD width="16.666666666666668%" height="25px">lookupfield_1</TD> </TR> <TR> <TD width="16.666666666666668%"> <P>2016</P> <P>2016</P> </TD> <TD width="16.666666666666668%"> <P>centos</P> <P>centos</P> </TD> <TD width="16.666666666666668%"> <P>linux</P> <P>linux</P> </TD> <TD width="16.666666666666668%"> <P>web</P> <P>web</P> </TD> <TD width="16.666666666666668%"> <P>workstation1</P> <P>workstation2</P> </TD> <TD width="16.666666666666668%"> <P>2016</P> <P>2016</P> </TD> </TR> <TR> <TD width="16.666666666666668%" height="112px"> <P>2017</P> <P>2017</P> <P>2017</P> </TD> <TD width="16.666666666666668%" height="112px"> <P>apache</P> <P>apache</P> <P>apache</P> </TD> <TD width="16.666666666666668%" height="112px"> <P>tomcat</P> <P>tomcat</P> <P>tomcat</P> </TD> <TD width="16.666666666666668%" height="112px"> <P>http</P> <P>http</P> <P>http</P> </TD> <TD width="16.666666666666668%" height="112px"> <P>server1</P> <P>server2</P> <P>server3</P> </TD> <TD width="16.666666666666668%" height="112px"> <P>2017</P> <P>2017</P> <P>2017</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>1. Is my search formed correctly?&nbsp;<BR />2. How do I get each of the events to come out in their own row instead of being grouped into one line based on the matching kvstorefield/lookupfield?</P> Mon, 22 Aug 2022 20:52:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-results-of-one-lookup-with-a-second-lookup/m-p/610385#M212256 mistydennis 2022-08-22T20:52:41Z https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-results-of-one-lookup-with-a-second-lookup/m-p/610403#M212264 <P>If I understand the example correctly, kv store lookup contains data set 1 and you want to only select rows where a row also exists in your second lookup.&nbsp;</P><P>Seems to me that you already have&nbsp;kvstorefield_ fields 2-5 from the inputlookup on your first line, so the lookup on line 2 will simply validate if it contains&nbsp;kvstorefield_1. I believe your line 3 and 4 can just be replaced with&nbsp;</P><LI-CODE lang="markup">| where isnotnull(lookupfield_1)</LI-CODE><P>which will say 'if&nbsp;kvstorefield_1 is NOT in lookup, then ignore'.</P><P>&nbsp;</P> Mon, 22 Aug 2022 23:18:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-results-of-one-lookup-with-a-second-lookup/m-p/610403#M212264 bowesmana 2022-08-22T23:18:34Z https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-results-of-one-lookup-with-a-second-lookup/m-p/610404#M212265 <P>not sure what your second lookup is containing, but if you have multiple matches for the lookup field (2016/2017), then you will get multiple results in the same row, so when you re-lookup the data, it will create multiple values in the final table.</P><P>If you remove the second lookup, which appears unnecessary, then your result should look better.</P> Mon, 22 Aug 2022 23:25:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-results-of-one-lookup-with-a-second-lookup/m-p/610404#M212265 bowesmana 2022-08-22T23:25:58Z https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-results-of-one-lookup-with-a-second-lookup/m-p/610497#M212317 <P>I had a feeling I was overcomplicating it - thank you so much!</P> Tue, 23 Aug 2022 14:04:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-results-of-one-lookup-with-a-second-lookup/m-p/610497#M212317 mistydennis 2022-08-23T14:04:40Z