Solved: Help getting search that includes LOOKUP that are ...

CSULeigh · ‎08-19-2020

I am trying to get the following results for date, email and answer with the other data into separate rows:

Results I am getting:

Results I need to see:

Search Query:

index=someindex
| eval status=case(like(_raw, "%NO%"), "NO", like(_raw, "%YES%"), "YES")
| lookup fall2020OnCampusStudents email OUTPUT class, name, ID, className, classNumber, college
| search class!=""
| table Date, name, email, ID, status, class, className, classNumber, college
| sort college, email, class
| rename email AS "Email", status AS "Answer", class AS "Classes", className as "Class Name", classNumber as "Class Number", college as "College"

I have tried using mvexpand, but it will only take the first line of each field. I am still trying to understand other techniques, but still learning.

CSULeigh · ‎08-20-2020

Solved the issue with Splunks Help:

| inputlookup fall2020OnCampusStudents.csv
| join email
[search index=someindex | eval status=case(like(_raw, "%NO%"), "NO", like(_raw, "%YES%"), "YES")
| table Date, status, email]
| table Date, name, email, ID, status, class, className, classNumber, college
| sort college, email

I know the join is expensive, but this will run once a day.

View solution in original post

CSULeigh · ‎08-20-2020

Solved the issue with Splunks Help:

| inputlookup fall2020OnCampusStudents.csv
| join email
[search index=someindex | eval status=case(like(_raw, "%NO%"), "NO", like(_raw, "%YES%"), "YES")
| table Date, status, email]
| table Date, name, email, ID, status, class, className, classNumber, college
| sort college, email

I know the join is expensive, but this will run once a day.

Help getting search that includes LOOKUP that are merged into one row for each result

eval

lookup

table

OpenTelemetry for Legacy Apps? Yes, You Can!

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

.conf25 Community Recap

Are you a member of the Splunk Community?