Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Hashtable Functionality OR lookup Tables

daktapaal
Path Finder
‎01-21-2014 09:46 PM

Hi All,
I have a lookup table that looks like:

Key,value

cat1,val1


cat2,val2


cat3,val3

this is in a lookup file called keyvalpairs.csv

i want to query the look up table to return value when a key is passed in.

key is a concat of two field values in a search

i want a

pseudo query

that looks something like,

sourcetype = * | eval keyfield = field1."#'.field2 | lookup keyvalpairs.csv [where Key = **keyfield] OUTPUT value |

so that the concat of field1 and field2 from the events is looked into the CSV and the corresponding value is printed..

is this doable?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

laserval
Communicator
‎01-22-2014 07:49 AM

You can't query the lookup files, unfortunately. Mistunderstood you. As the earlier answer noted, this is exactly what lookup does. Just use key AS keyfield.

I would do

... | eval keyfield = field1."#".field2 | lookup keyvalpairs key AS keyfield OUTPUT value | where isnotnull(value)

Note: if you've set a default value for your lookup, you'll need to check for that instead of null.

You would then filter out any events or rows that do not have keyfield, or where keyfield doesn't match a key in the lookup table.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

laserval
Communicator
‎01-22-2014 07:49 AM

You can't query the lookup files, unfortunately. Mistunderstood you. As the earlier answer noted, this is exactly what lookup does. Just use key AS keyfield.

I would do

... | eval keyfield = field1."#".field2 | lookup keyvalpairs key AS keyfield OUTPUT value | where isnotnull(value)

Note: if you've set a default value for your lookup, you'll need to check for that instead of null.

You would then filter out any events or rows that do not have keyfield, or where keyfield doesn't match a key in the lookup table.

0 Karma
Reply
Solved! Jump to solution

daktapaal
Path Finder
‎01-29-2014 05:57 PM

This is great. Thanks for this.. although I figured that if I keep the variable name same as the name of the key, then it works straight away . Thanks again

0 Karma
Reply
Solved! Jump to solution

nekb1958
Path Finder
‎01-22-2014 02:26 AM

Hi

I do not really understand your question. looking at the syntax of the lookup command

http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Lookup

lookup [local=<bool>] [update=<bool>] <lookup-table-name> (<lookup-field> [AS <local-field>] ) ( OUTPUT | OUTPUTNEW <lookup-destfield> [AS <local-destfield>] )

so for me, your lookup looks like:

lookup keyvaluepairs keyfield OUTPUT value

0 Karma
Reply
Solved! Jump to solution

daktapaal
Path Finder
‎01-22-2014 05:20 AM

i can't do your suggestion because for lookup keyvaluepairs keyfield OUTPUT value to work, there should be a header in csv called keyfield. but csv only has key and value as header. so i was hoping , there could be a solution where i can search for a record in the csv. where key = keyfield. and return Value entry for the corresponding record

0 Karma
Reply
Solved! Jump to solution

daktapaal
Path Finder
‎01-22-2014 05:15 AM

i did lookup that syntax in docs.. but my query should do the following :
1. search on the sourcetype: *
2.create an interim variable called keyfield which has the concat of the field1 and field2
3.look up into the CSV ( it has two headings: Key and Value.) for the record, where key = keyfield variable we evaluated.
4. Output the value of the record, where Key = key field.
so the pseudo query, or the query i would have thought, which obviously won't work, is :sourcetype=*|eval keyfield = field1."#'.field2 | lookup kevalpairs.csv [Key=keyfield] OUTPUT val.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...