Getting Data In

How to add content from lookup table data?

sekhar463
Path Finder

Good day All!

i have created a lookup data | inputlookup Autosys.csv and i have fileds KB,REGION AND JOB_NAME.

i have splunk search which i have some job data .

how can ingest other fields in the lookup using JOB_NAME as common fileds splunk events

below is the search which i want to add lookup data

 

index=index_name  sourcetype=source_name
| eval Actualstarttime=strftime(strptime(NEXT_START,"%Y/%m/%d %H:%M:%S"),"%H:%M")
| eval Job_start_by=strftime(strptime(LAST_START,"%Y/%m/%d %H:%M:%S"),"%H:%M")
| eval START_SLA=if(Job_start_by <= Actualstarttime,"Started On Time","Started Late")
| eval END_SLA=if(RUNTIME <= AVG_RUN_TIME,"END ONTIME","END SLA BREACH")
| search NEXT_START!=NULL
| table JOB_NAME,JOB_GROUP,TIMEZONE,STATUS,Currenttime,STATUS_TIME,LAST_START,LAST_END,NEXT_START,DAYS_OF_WEEK,EXCLUDE_CALENDAR,RUNTIME,Actualstarttime,Job_start_by,START_SLA,AVG_RUN_TIME,END_SLA

 

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sekhar463,

if you want to use the data from lookup to enrich your search data, you can use the lookup command (as interd by @Manasa_401 ).

If instead you want to save data from your search in the lookup, you have to explore the outputlookup command (https://docs.splunk.com/Documentation/Splunk/9.0.2/SearchReference/Outputlookup) that must be added at the end of your search.

Ciao.

Giuseppe

0 Karma

sekhar463
Path Finder

Hello Mansa your awesome.

why its not worked even i have tried with automatic lookup as well 

0 Karma

Manasa_401
Communicator

Have you created lookup definition? If not try it.

0 Karma

sekhar463
Path Finder

hai yeah manasa i have created lookup definition and created automatic lookup as well for the source type 

after that i am searching with query the filelds are not added

0 Karma

Manasa_401
Communicator

Hello @sekhar463 

If you want to include lookup data in the search using a common field then add below line to your query.


|lookup Autosys.csv JOB_NAME OUTPUT KB REGION

If this helps, an upvote would be appreciated.

Thanks,

Manasa

0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...