Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Conditional Lookup

ashish9433
Communicator
‎01-11-2018 11:25 AM

Hi Team,

This appears to be a complex scenario to me to implement on Splunk

Below is the table i have on Splunk

alt text

In the above table, for check_ids (1.1.10, 1.1.14.... and so on ) there are multiple blank fields and i need to fill the blanks with a information in the lookup and condition.

Below is the lookup file.

alt text

In the lookup file, for each profile what all check_id are present is mentioned.

Here comes the problem statement.

In the first image above i want to fill the blanks to "unknown" if for that respective profile and check_id there is no entry in the lookup table.

For example - In the first row, the profile is "coreos-level-1" and there is blank for "1.1.10", "1.1.14", both these entries are not there in the lookup, so i want to replace blank with "Unknown", whereas if the check_id exists in the lookup then nothing needs to be filled and it can remain blank.

Can anyone help me with a logic to get this done in Splunk?

Tags (3)
Preview file
21 KB
Preview file
29 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-11-2018 11:44 AM

Give this a try

your currrent search giving fields instance, a field for each check_ids and profile
| eval temp=instance."#".profile | fields - instance profile
| untable temp Check_ID Val
| eval Profile=mvindex(split(temp,"#"),1)
| lookup YourLookupTable.csv Check_ID Profile OUTPUT Profile as Val2
| eval Val2=if(isnull(Val2),"Unknown",null())
| eval Val=coalesce(Val,Val2)
| xyseries temp Check_ID Val
| rex field=temp "(?<instance>.+)#(?<profile>.+)" | fields - temp
| table instance * profile

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-11-2018 11:44 AM

Give this a try

your currrent search giving fields instance, a field for each check_ids and profile
| eval temp=instance."#".profile | fields - instance profile
| untable temp Check_ID Val
| eval Profile=mvindex(split(temp,"#"),1)
| lookup YourLookupTable.csv Check_ID Profile OUTPUT Profile as Val2
| eval Val2=if(isnull(Val2),"Unknown",null())
| eval Val=coalesce(Val,Val2)
| xyseries temp Check_ID Val
| rex field=temp "(?<instance>.+)#(?<profile>.+)" | fields - temp
| table instance * profile
Reply
Solved! Jump to solution

ashish9433
Communicator
‎01-12-2018 08:03 AM

This guidance, made me get what i was looking for! Thanks

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎01-11-2018 11:39 AM

How was the top table created? Being in that format definitely complicates your search, so if you instead have access to the data used to create that table it may be easier to start with the raw data instead.

Also, please include these samples in text form, not screenshots. It's very difficult to work with sample data when you have to manually enter it in.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...

Index This | What is feather-light but cannot be held long?

May 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

.conf26 Registration is Live: Secure Your Early Bird Pass Now

  Lock in Your Spot: Registration Open for .conf26 in Denver Hello Splunkers, I have exciting news! Your ...