https://community.splunk.com/t5/Splunk-Search/Lookup-using-an-indexed-log-file/m-p/303133#M91203 <P>Hi guys</P> <P>I'm not an expert of Splunk.<BR /> I was wondering if I can use a lookup to reference fields that are stored into another log file (not csv) indexed in Splunk</P> <P>Let me explain:<BR /> I have a log file indexed in Splunk:</P> <PRE><CODE>col1,col2,GCD1,col4,col5 col1,col2,GCD2,col4,col5 col1,col2,GCD3,col4,col5 </CODE></PRE> <P>I've another file always indexed in Splunk:</P> <PRE><CODE>graph [ directed 1 node [ id 1 Node "Node1" ] node [ id 2 Node "Node2" ] node [ id 3 Node "Node3" ] ] </CODE></PRE> <P>I need a new field when I search for the first file that match the GDCID with the id in the second file</P> <PRE><CODE> col1,col2,GCD1,col4,col5,Node1 col1,col2,GCD2,col4,col5,Node2 col1,col2,GCD3,col4,col5,Node3 </CODE></PRE> <P>Is this possible?<BR /> Thanks</P> Tue, 14 Feb 2017 11:22:59 GMT faustf 2017-02-14T11:22:59Z https://community.splunk.com/t5/Splunk-Search/Lookup-using-an-indexed-log-file/m-p/303133#M91203 <P>Hi guys</P> <P>I'm not an expert of Splunk.<BR /> I was wondering if I can use a lookup to reference fields that are stored into another log file (not csv) indexed in Splunk</P> <P>Let me explain:<BR /> I have a log file indexed in Splunk:</P> <PRE><CODE>col1,col2,GCD1,col4,col5 col1,col2,GCD2,col4,col5 col1,col2,GCD3,col4,col5 </CODE></PRE> <P>I've another file always indexed in Splunk:</P> <PRE><CODE>graph [ directed 1 node [ id 1 Node "Node1" ] node [ id 2 Node "Node2" ] node [ id 3 Node "Node3" ] ] </CODE></PRE> <P>I need a new field when I search for the first file that match the GDCID with the id in the second file</P> <PRE><CODE> col1,col2,GCD1,col4,col5,Node1 col1,col2,GCD2,col4,col5,Node2 col1,col2,GCD3,col4,col5,Node3 </CODE></PRE> <P>Is this possible?<BR /> Thanks</P> Tue, 14 Feb 2017 11:22:59 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-using-an-indexed-log-file/m-p/303133#M91203 faustf 2017-02-14T11:22:59Z https://community.splunk.com/t5/Splunk-Search/Lookup-using-an-indexed-log-file/m-p/303134#M91204 <P>The general approach is something like this:</P> <PRE><CODE>(search identifying data set 1) OR (search identifying data set 2) | stats values(field1) as field1 ... by common_field </CODE></PRE> <P>The general assumption here is to have one event per <CODE>"GCDn"</CODE> on the left and one event per <CODE>"id n"</CODE> on the right, the stats stitches them together.</P> <P>In your case you may need to do a bit of preprocessing, for example your first data set seems to have values like <CODE>"GCD1"</CODE> while the second data set appears to have values like <CODE>"id 1"</CODE> - those field values need to be harmonized before the stats, e.g. like this:</P> <PRE><CODE>() OR () | eval common_field = case(expression identifying data set 1, replace(field_from_data_set_1, "GCD", ""), expression identifying data set 2, replace(field_from_data_set_1, "id ", ""), true(), "unknown id") | stats ... </CODE></PRE> <P>More background: <A href="https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html">https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html</A><BR /> Even more background: <A href="https://wiki.splunk.com/Virtual_.conf">https://wiki.splunk.com/Virtual_.conf</A> March 2016 talk "Best practices around grouping and aggregating data from different search results"</P> Tue, 14 Feb 2017 12:44:53 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-using-an-indexed-log-file/m-p/303134#M91204 martin_mueller 2017-02-14T12:44:53Z