Display Input Lookup Data

harsush · ‎08-11-2017

Hi Team,

How to display lookup fields along with search fields.

search Query
index=AA* host=ABC source=/tmp/processMonitor* instance=XYZ apphome =*** | lookup boxdata host | search box_live_state="LIVE" | stats latest(state) as Status by host, apphome, instance, appmon | table host apphome instance appmon box_live_state

Iam not getting anything under box_live_state, Is thr any way to display ??

boxdata
box_env box_live_state box_location box_model box_os box_patch box_rack box_rfb box_ver host
QA NOTLIVE ABC-DE HPXYZQ RHAS 1234 324 lxmcp 6.9 hostny01

Expecting output
host apphome instance appmon Status box_live_state
ABC /xy/abc abc 1 down Live

Thanks
Harsha

niketn · ‎08-12-2017

@harsush, please reverse the lookup pipe which should be after stats command. In your current query the stats command is removing enriched field/s from lookup including box_live_state.

index=AA* host=ABC source=/tmp/processMonitor* instance=XYZ apphome =*** 
| stats latest(state) as Status by host, apphome, instance, appmon 
| lookup boxdata host 
| search box_live_state="LIVE"
| table host apphome instance appmon box_live_state

Also as per performance consideration, lookup should be performed after transforming commands ensuring records are reduced prior to correlating with the lookup file: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup#Optimizing_your_lookup_se...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎08-29-2017

@harsush, please confirm whether your issue is resolved.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Display Input Lookup Data

Elevate Your Organization with Splunk’s Next Platform Evolution

Splunk Answers Content Calendar, June Edition

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Are you a member of the Splunk Community?

Display Input Lookup Data

Elevate Your Organization with Splunk’s Next Platform Evolution

Splunk Answers Content Calendar, June Edition

What You Read The Most: Splunk Lantern’s Most Popular Articles!