Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Filtering Lookup Results

aquinojason
Path Finder
‎04-16-2021 06:59 AM

Hi, 

Below is a result of a lookup command, how do I exclude the other information if I based in on BusinessUnit, For ex. I want to show BU2 only...  but there maybe cases that I need to show BU1 only. How can I filter my lookup result?

Application BusinessUnit DATE CALCMIPS

 
App1
App2
App3
App4
BU1
BU2
BU1
BU1
31DEC202020

 

 

 

My splunk query looks like

index=index1 sourcetype=source1 [ |inputlookup Application.csv where BusinessUnit = BU1 | return 1000 ACCOUNT_CODE] |  lookup Application.csv ACCOUNT_CODE OUTPUT Application BusinessUnit ApplicationRTO | table Application BusinessUnit DATE MVS_SYSTEM_ID CALCMIPS

Thanks and Regards,

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aquinojason
Path Finder
‎04-16-2021 11:36 AM

Hi,

I just included the BU as part of my lookup. That made it more distinct. 

eval BusinessUnit = "BU1" | lookup Application.csv ACCOUNT_CODE BusinessUnit OUTPUT Application

Thanks and Regards,

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ericjorgensenjr
Path Finder
‎04-16-2021 09:51 AM

What are you trying to accomplish with this bit:

[ |inputlookup Application.csv where BusinessUnit = BU1 | return 1000 ACCOUNT_CODE]

Because it looks to me like there is no field 'ACCOUNT_CODE' in the lookup, so this is going to return null.

Also, based on the way you displayed the output of the lookup are the Application and Business Unit multivalue?

Lastly, I think it's not fully clear what you're trying to accomplish with the search, can you elaborate?

0 Karma
Reply
Solved! Jump to solution

aquinojason
Path Finder
‎04-16-2021 09:54 AM

Hi,

Apologies if I didn't made myself clear but I was able to filter my lookup properly now after fixing my logic. Thanks!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-16-2021 11:29 AM

Please share the fix and accept it as the solution to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

aquinojason
Path Finder
‎04-16-2021 11:36 AM

Hi,

I just included the BU as part of my lookup. That made it more distinct. 

eval BusinessUnit = "BU1" | lookup Application.csv ACCOUNT_CODE BusinessUnit OUTPUT Application

Thanks and Regards,

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...