Splunk Search

Filtering Lookup Results

aquinojason
Path Finder

Hi, 

Below is a result of a lookup command, how do I exclude the other information if I based in on BusinessUnit, For ex. I want to show BU2 only...  but there maybe cases that I need to show BU1 only. How can I filter my lookup result?

Application BusinessUnit DATE CALCMIPS

 
App1
App2
App3
App4
BU1
BU2
BU1
BU1
31DEC202020

 

 

 

My splunk query looks like

index=index1 sourcetype=source1 [ |inputlookup Application.csv where BusinessUnit = BU1 | return 1000 ACCOUNT_CODE] |  lookup Application.csv ACCOUNT_CODE OUTPUT Application BusinessUnit ApplicationRTO | table Application BusinessUnit DATE MVS_SYSTEM_ID CALCMIPS

Thanks and Regards,

Labels (1)
0 Karma
1 Solution

aquinojason
Path Finder

Hi,

I just included the BU as part of my lookup. That made it more distinct. 

eval BusinessUnit = "BU1" | lookup Application.csv ACCOUNT_CODE BusinessUnit OUTPUT Application

Thanks and Regards,

View solution in original post

0 Karma

ericjorgensenjr
Path Finder

What are you trying to accomplish with this bit:

[ |inputlookup Application.csv where BusinessUnit = BU1 | return 1000 ACCOUNT_CODE]

Because it looks to me like there is no field 'ACCOUNT_CODE' in the lookup, so this is going to return null.

Also, based on the way you displayed the output of the lookup are the Application and Business Unit multivalue?

Lastly, I think it's not fully clear what you're trying to accomplish with the search, can you elaborate?

0 Karma

aquinojason
Path Finder

Hi,

Apologies if I didn't made myself clear but I was able to filter my lookup properly now after fixing my logic. Thanks!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please share the fix and accept it as the solution to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

aquinojason
Path Finder

Hi,

I just included the BU as part of my lookup. That made it more distinct. 

eval BusinessUnit = "BU1" | lookup Application.csv ACCOUNT_CODE BusinessUnit OUTPUT Application

Thanks and Regards,

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...