Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Append the columns of a search onto the results of another search many times [lookup, but for a search]

ccunov
New Member
‎09-13-2019 04:34 PM

Search A returns many events for each ID.
Search B returns a single event for each ID.

My end result is a table with each event from search A, with the values from a few fields in search B appended as new columns to EACH event in A.

If that's not clear here's more:

Search A looks like this:

_time,ID,interesting_field
1,1,420
1,2,69
1,3,8008
2,1,5318008
2,2,12
2,3,41
...

Search B looks like this:

_time,ID,tag
1,1,hello
1,2,wuddup
1,3,yo

End-result should look like this:

_time,ID,interesting_field,tag
1,1,420,hello
2,1,5318008,hello
1,2,69,wuddup
2,2,12,wuddup
1,3,8008,yo
2,3,41,yo

Extra tags for the people from google: one-to-many

0 Karma
Reply

MuS
Legend
‎09-18-2019 04:36 PM

Hi ccunov,

I used the sample events from search B and created a lookup file with it so it contains :

_time,ID,tag
1,1,hello
1,2,wuddup
1,3,yo

then you can use this SPL to get the expected table view:

search a | rename _time AS time | lookup search_b.csv ID | table time ID int* tag | sort tag

The result looks like this:

alt text
Just ignore the first inputlookup this was just me getting your search a sample events in.

Hope this helps ...

cheers, MuS

Preview file
1 KB
0 Karma
Reply

ccunov
New Member
‎09-19-2019 09:57 AM

I guess what I'm trying to do is exactly what lookup does. Unfortunately I can't dynamically create a lookup, and that wouldn't be efficient anyway. Is there a similar command for a search?

Thanks for putting in the effort to help me btw!

0 Karma
Reply

MuS
Legend
‎09-22-2019 04:40 PM

Why can't you create dynamic lookups? Any search result can be saved as lookup using outputlookup command. Also lookup's are a very efficient tool to enrich events or limit events, they can get inefficient when we talk about millions of lines or very high 3 digit MB in size.

cheers, MuS

0 Karma
Reply

MuS
Legend
‎09-14-2019 02:03 AM

Hi ccunov,

try something like this:

( search A ) OR ( search B )
| stats values(*) AS * by _time ID

This will combine the events as shown in your expected end result.

Hope this helps ...

cheers, MuS

0 Karma
Reply

ccunov
New Member
‎09-18-2019 03:09 PM

This doesn't combine the results into one table, it just returns events from both searches

0 Karma
Reply

MuS
Legend
‎09-18-2019 04:32 PM

Yeah, I see what you mean and will post a new answer with a better approach 😉

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...