topic Re: How to join my search to a lookup table with more than one field? in Splunk Search

How to join my search to a lookup table with more than one field?

ewanbrown — Mon, 28 Sep 2020 18:32:31 GMT

I have a search query that I need to join to a lookup table.

I have it joining to this lookup table TestDec14 and working when I look up the NEW_ID field, but I also need to join to the ID_TYPE field

index=test NEW_ID=123 OR NEW_ID= 456

| lookup TestDec14 NEW_ID
| eval new_add=NEW_ID.",".address

| chart count by new_add
| sort count desc

Is this possible? If so do you have any syntax on how I would do this? I've tried a few options but none have worked

Thanks

Re: How to join my search to a lookup table with more than one field?

pedromvieira — Tue, 23 Dec 2014 14:16:35 GMT

Yes you can lookup from multiple fields.

The syntax is:

... | lookup YOUR_LOOKUP field1 fieldn OUTPUT column1 columnn

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup

In your example it will be:

index=test NEW_ID=123 OR NEW_ID= 456 
| lookup TestDec14 NEW_ID ID_TYPE OUTPUT
| eval new_add=NEW_ID.",".address 
| chart count by new_add 
| sort count desc

Re: How to join my search to a lookup table with more than one field?

ewanbrown — Tue, 20 Jan 2015 15:12:17 GMT

Perfect! Thanks (a month after you answered it!!)