topic Re: Hi i want to join a field from log file and lookup table in Splunk Search

Hi i want to join a field from log file and lookup table

ujwalagangakoth — Tue, 29 Sep 2020 13:36:44 GMT

for eg in a.log file i have data as

dept_id Name Leave_count
1 xx 9
2 yy 8
3 zz 4
and have a b.csv lookup table file which has

dept_id designation allowed_leave
1 manager 10
2 TL 6
3 senior manager 10

now i want to compare leave count and allowed leave by joining a.log and b.csv lookup table using dept_id and display name,designation which satisfies (allowed_leave-leave count)< 0

Re: Hi i want to join a field from log file and lookup table

niketn — Wed, 12 Apr 2017 10:16:34 GMT

If you have Lookup Definition created as b from (Settings > Lookups > Lookup Definition) for lookup table b.csv, you can use the following:

<YourBaseSearchWithIndexAndHostName> source="a.log"
| lookup b dept_id OUTPUT allowed_leave designation
| where allowed_leave<Leave_count
| table Name dept_id allowed_leave Leave_count designation

Refer to lookup command documentation: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup

Re: Hi i want to join a field from log file and lookup table

niketn — Thu, 13 Apr 2017 06:42:22 GMT

@ujwalagangakotha were you able to try out the answer?