Solved: Re: how to report based on different lookup tables

pstamati · ‎01-03-2018

Hello!

I have been looking for a way to report or dashboard based on this scenario. I have 3 different lookup tables:
Table 1: Key field IP Address, with field 2, field 3, field 4, etc.
Table 2: Key field IP Address, with field 5, field 6, field 7 etc.
Table 3: Key field IP Address, with field 8, field 9 and field 10.

How can I report/dashboard to show something like:

IP address, field 2, field3, field 4, field5, field6, ....field 10?

Thanks in advance for any assistance you can provide as I have been unsuccessfully trying this for quite so long. These tables are been automatically generated by Splunk grabbing data from different sources so I would avoid the manual process of just manually downloading this and consolidate it 🙂

somesoni2 · ‎01-03-2018

You can do like this

| inputlookup YourLookupTable1.csv  | table IP_ADDRESS field2 field3 field4 
| lookup YourLookupTable2.csv IP_ADDRESS OUTPUT field5 field6 field7
| lookup YourLookupTable3.csv IP_ADDRESS OUTPUT field8 field9 field10

View solution in original post

pstamati · ‎01-03-2018

I found it...sorry, I needed to use AS to match IP Address from Table 1 and Table 2.
Many thanks!!

somesoni2 · ‎01-03-2018

You can do like this

| inputlookup YourLookupTable1.csv  | table IP_ADDRESS field2 field3 field4 
| lookup YourLookupTable2.csv IP_ADDRESS OUTPUT field5 field6 field7
| lookup YourLookupTable3.csv IP_ADDRESS OUTPUT field8 field9 field10

pstamati · ‎01-03-2018

Thanks for your reply. I was just trying what you've suggested. So for a particular IP address, I want to list all the fields in the 3 different lookups I have. Is there any match or Join I need to do to get that?

how to report based on different lookup tables

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life