Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help getting search that includes LOOKUP that are merged into one row for each result

CSULeigh
Explorer
‎08-19-2020 07:01 PM

I am trying to get the following results for date, email and answer with the other data into separate rows:

Results I am getting:

Screen Shot 2020-08-19 at 7.00.13 PM.png

Results I need to see:

Screen Shot 2020-08-19 at 7.00.31 PM.png

Search Query:

index=someindex 
| eval status=case(like(_raw, "%NO%"), "NO", like(_raw, "%YES%"), "YES")
| lookup fall2020OnCampusStudents email OUTPUT class, name, ID, className, classNumber, college
| search class!=""
| table Date, name, email, ID, status, class, className, classNumber, college
| sort college, email, class
| rename email AS "Email", status AS "Answer", class AS "Classes", className as "Class Name", classNumber as "Class Number", college as "College"

I have tried using mvexpand, but it will only take the first line of each field. I am still trying to understand other techniques, but still learning. 

 

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

CSULeigh
Explorer
‎08-20-2020 12:46 PM

Solved the issue with Splunks Help:

| inputlookup fall2020OnCampusStudents.csv
| join email
    [search index=someindex | eval status=case(like(_raw, "%NO%"), "NO", like(_raw, "%YES%"), "YES")
    | table Date, status, email]
| table Date, name, email, ID, status, class, className, classNumber, college
| sort college, email
 
I know the join is expensive, but this will run once a day.

 

View solution in original post

Reply
Solved! Jump to solution
Solution

CSULeigh
Explorer
‎08-20-2020 12:46 PM

Solved the issue with Splunks Help:

| inputlookup fall2020OnCampusStudents.csv
| join email
    [search index=someindex | eval status=case(like(_raw, "%NO%"), "NO", like(_raw, "%YES%"), "YES")
    | table Date, status, email]
| table Date, name, email, ID, status, class, className, classNumber, college
| sort college, email
 
I know the join is expensive, but this will run once a day.

 

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...