Alerting

On setting from multiple table columns to an input field in an automatic lookup

NC_AS
Explorer

Hello.
Thank you for all your help and support.

In a registered lookup table file (CSV), if I want to search and match the value of a specific field from two columns (two columns), how should I set the input fields in the automatic lookup setup screen?

For example, I have the following columns in my table file

PC_Name,MacAddress1,MacAddress2


The MacAddress in the Splunk index log resides in either MacAddress1 or MacAddress2 in the table file.
Therefore, we want to search both columns and return the PC_Name of the matching record.

As a test, I tried to set the following two input fields to be searched automatically from the Lookup settings screen of the GUI, but PC_Name did not appear in the search result field.
*See attached image.
*If the following input field setting is one, PC_Name is output.

MACAddr1 = Mac address
MACAddr2 = Mac address

So, as a workaround, I split the lookup settings into two and set each as follows

MACAddr1 = MacAddress

and

MACAddr2 = MacAddress

in the input fields to display the search results.

However, this is not smart.

Note that the lookup is configured from the Splunk Web UI.
What is the best way to configure this?

Labels (1)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...