Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Filtering Lookup Results

aquinojason
Path Finder
‎04-16-2021 06:59 AM

Hi, 

Below is a result of a lookup command, how do I exclude the other information if I based in on BusinessUnit, For ex. I want to show BU2 only...  but there maybe cases that I need to show BU1 only. How can I filter my lookup result?

Application BusinessUnit DATE CALCMIPS

 
App1
App2
App3
App4
BU1
BU2
BU1
BU1
31DEC202020

 

 

 

My splunk query looks like

index=index1 sourcetype=source1 [ |inputlookup Application.csv where BusinessUnit = BU1 | return 1000 ACCOUNT_CODE] |  lookup Application.csv ACCOUNT_CODE OUTPUT Application BusinessUnit ApplicationRTO | table Application BusinessUnit DATE MVS_SYSTEM_ID CALCMIPS

Thanks and Regards,

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aquinojason
Path Finder
‎04-16-2021 11:36 AM

Hi,

I just included the BU as part of my lookup. That made it more distinct. 

eval BusinessUnit = "BU1" | lookup Application.csv ACCOUNT_CODE BusinessUnit OUTPUT Application

Thanks and Regards,

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ericjorgensenjr
Path Finder
‎04-16-2021 09:51 AM

What are you trying to accomplish with this bit:

[ |inputlookup Application.csv where BusinessUnit = BU1 | return 1000 ACCOUNT_CODE]

Because it looks to me like there is no field 'ACCOUNT_CODE' in the lookup, so this is going to return null.

Also, based on the way you displayed the output of the lookup are the Application and Business Unit multivalue?

Lastly, I think it's not fully clear what you're trying to accomplish with the search, can you elaborate?

0 Karma
Reply
Solved! Jump to solution

aquinojason
Path Finder
‎04-16-2021 09:54 AM

Hi,

Apologies if I didn't made myself clear but I was able to filter my lookup properly now after fixing my logic. Thanks!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-16-2021 11:29 AM

Please share the fix and accept it as the solution to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

aquinojason
Path Finder
‎04-16-2021 11:36 AM

Hi,

I just included the BU as part of my lookup. That made it more distinct. 

eval BusinessUnit = "BU1" | lookup Application.csv ACCOUNT_CODE BusinessUnit OUTPUT Application

Thanks and Regards,

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...