Splunk Search

Cannot add fields from lookup file to events

Engager

Good Day,

I am working with the following:

Through an indexer I have Three fields of interest, Field A, Field B, and Field C.  I also have a CSV file as a lookup file with the same fields which I will call Field A1, Field B1, and Field C1.  The CSV File also has two further fields of interest that I will call Fields D1 and E1.

I have been trying to do a search string where if the Field A, B and C equals Fields A1,B1,and C1 in the CSV that Fields D1 and E1 will be added to the event results.

I tried the following  (basic indexer search string to get Fields A,B and C|lookup CSV FieldA1 FieldA2 FieldA3|where FieldA and FieldB and FieldC = FieldA1 and FieldB1 and FieldC1| (I have tried append, output etc... with either nothing coming up or errors).  

I know I am missing something (and it is probably something simple).

Any assistance would be appreciated.

Thanks,

Ed

Labels (3)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

All you need is the lookup command.  It will do the matching for you so there's no need for where.

index=foo 
| lookup lookupfile.csv FieldA1 as FieldA FieldB1 as FieldB FieldC1 as FieldC OUTPUT FieldD1 FieldE1

 

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

SplunkTrust
SplunkTrust

All you need is the lookup command.  It will do the matching for you so there's no need for where.

index=foo 
| lookup lookupfile.csv FieldA1 as FieldA FieldB1 as FieldB FieldC1 as FieldC OUTPUT FieldD1 FieldE1

 

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Engager

Worked perfectly, thank you for the help.

 

Cheers,

Ed

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!