Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to join a DB search with a lookup.csv?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to join a DB search with a lookup.csv?
I have a database search that pulls back a list of ID's for me and I also have a Lookup that has the titles and the IDs that relates to the DB ID's. For example, see the below:
DB table has this ID: 123456
lookup csv has this title and ID: rhubarb and 123456
The DB table has lots of other information in there which is why I need to join them to get more information and I can't find anything similar on Splunk. I have put my test query below but doesn't work so any advice is appreciated
| dbxquery connection="gg" query="SELECT * from idstudio" | rename Id1 as Id2 | join Id1 [search lookup Idslookup.csv]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to create a lookup definition on that csv lookup. For that follow this: http://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/ConfigureCSVlookups
After you have created a lookup definition, let's say you named it ldslookup,
| dbxquery connection="gg" query="SELECT * from idstudio"
| lookup Id Idslookup OUTPUT <whatever field you want form the lookup>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response. I have done this but when i run the query it does not pull anything through from the lookup and only pulls through the db query. I currently have the below:
| dbxquery connection="gg" query="SELECT * from idtable" | eval ParentId2=substr(ParentId , 1, len(ParentId )-3)
| lookup CommunityTitles2 KBID OUTPUT Title
In your lookup you have the column name prior to the lookup which came back with an error message so i swapped it around. Any idea why it is not pulling anything back from the lookup table?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
