Row lookup

deodion — Mon, 28 Sep 2020 10:13:33 GMT

Is there any way to lookup row instead column cell?

For example,
row1: header_a, header_b
row2: value_a, value_b
row3: header_c, header_d
row4: value_c, value_d

| lookup mylookup header_c OUTPUT value_c

Thanks,

Re: Row lookup

Paolo_Prigione — Wed, 14 Dec 2011 10:47:03 GMT

You could do this only with a scripted, python-based, lookup command. More infos here. But I suggest you to reformat the file, if possible.

If you were to index your lookup file, then you could use a search to "parse" it into key=value pairs, but you would need a way to identify header rows. In the next sample, the file lup.txt is the following:

header1,header2
value1,value2
header3,header4,header5
value3,value4,value5

and this search:

| file /opt/splunkbeta/etc/apps/search/lookups/lup.txt | eval values=_raw | streamstats first(_raw) as header window=1 current=f | search header="head*" | mappy _raw="; ".join(["=".join(t) for t in zip(header.split(","),values.split(","))]) | extract pairdelim="; " kvdelim="="

produces key-value pairs from that file. It assumes headers start with "head*". You could use this to join with your search, or elaborate on that. Note: you need to assign the use_file_operator privilege to take advantage of the file command.

Another way could be to use the multikv command with the multitable option on. But you will have to reformat the file in any case.

topic Row lookup in Splunk Search

Row lookup

Re: Row lookup