This is just a dummy example to illustrate a problem I'm having with my DB Lookup...
Within my Splunk search results, I have two fields, person_id1 and person_id2.
In my database, I have the fields user_id, user_name and member_type.
My 'database lookup' matches the person_id1 and person_id2 fields in the Splunk search results with the user_id field in my database, and then returns the related user_name and member_type fields.
The SQL in my 'database lookup' (myDbLookup) looks like this:
SELECT user_name, member_type FROM myTable WHERE $person_id1$ = user_id OR $person_id2$ = user_id
My Splunk search string looks like this:
sourcetype="events" | lookup myDbLookup person_id1, personid2 as user_id OUTPUT user_name, member_type | table person_id1, person_id2, user_name, member_type
Some id's in my search results will return names, and some won't, sometimes both id's could have a linked name.
So the problem is that when I do have a name returned, how do I know whether the name matched with person_id1 or person_id2? How do I handle the instance where both id's have matching names in the database?
Is there a better way to be doing this?
I think you are misunderstanding how that lookup works. As written, it requires 2 (both) inputs and returns 2 outputs. So your lookup always "matches both" for lack of a better way to put it. To me, your question (as asked) makes no sense.
You didn't specify an event-field for person_id1.
Note - the wording changed from 6.2 to 6.3 in the docs and local-field is no referred to as event-field.