Splunk Search

DB Lookup - If I have two database inputs of the same type, how do I differentiate between the outputs?

Explorer

This is just a dummy example to illustrate a problem I'm having with my DB Lookup...

Within my Splunk search results, I have two fields, person_id1 and person_id2.

In my database, I have the fields user_id, user_name and member_type.

My 'database lookup' matches the person_id1 and person_id2 fields in the Splunk search results with the user_id field in my database, and then returns the related user_name and member_type fields.

The SQL in my 'database lookup' (myDbLookup) looks like this:

SELECT user_name, member_type FROM myTable WHERE $person_id1$ = user_id OR $person_id2$ = user_id

My Splunk search string looks like this:

sourcetype="events" | lookup myDbLookup person_id1, personid2 as user_id OUTPUT user_name, member_type | table person_id1, person_id2, user_name, member_type

Some id's in my search results will return names, and some won't, sometimes both id's could have a linked name.

So the problem is that when I do have a name returned, how do I know whether the name matched with person_id1 or person_id2? How do I handle the instance where both id's have matching names in the database?

Is there a better way to be doing this?

  • James
0 Karma

Esteemed Legend

I think you are misunderstanding how that lookup works. As written, it requires 2 (both) inputs and returns 2 outputs. So your lookup always "matches both" for lack of a better way to put it. To me, your question (as asked) makes no sense.

0 Karma

Path Finder

You didn't specify an event-field for person_id1.

See:
https://answers.splunk.com/answers/135646/lookup-command-multiple-input-fields.html

Note - the wording changed from 6.2 to 6.3 in the docs and local-field is no referred to as event-field.

0 Karma