Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Match value from lookup table to values of multiple fields

mrbeck02
Explorer
‎06-13-2017 02:38 PM

I have created a basic lookup table with 2 columns, "lookup1.csv"
Col1,Col2
12,bar
14,vix
15,yell

Within my index the values of Col1 are possibly present in 2 different fields (Field1,Field2). I would like to perform a lookup which would match values in Col1 to those in Field1 OR Field2

Example Report:
| table value(Field1), match found in lookup1.csv

If we get this far, then create an automatic lookup which creates an event when there is a match.

Thanks

0 Karma
Reply

woodcock
Esteemed Legend
‎06-13-2017 05:23 PM

Like this:

index="YourIndexHere" sourcetype="YourSourcetypeHere"
| lookup lookup1 Col1 AS Field1 OUTPUT Col2 AS Match1
| lookup lookup1 Col1 AS Field2 OUTPUT Col2 AS Match2
| search Match1="*" OR Match2="*"
| table Field1 Match1 Field2 Match2
Reply

mrbeck02
Explorer
‎06-14-2017 07:05 AM

This worked, thank you.

0 Karma
Reply

somesoni2
Revered Legend
‎06-13-2017 03:07 PM

Try like this

your current search which includes Field1 and Field2
| eval matchField=split(Field1."##".Field2,"##") 
| lookup lookup1.csv Col1 as matchField OUTPUT Col2 as matchedValue
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...