Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Help with inputlookup and table

tlmayes
Contributor
‎09-15-2017 05:09 AM

I have a lookup table that has several columns as follows, with no data in the "Manager" column:

alt text

I have an index that has two fields of interest: IP, Manager. The field IP in the index will be the same as that in the lookup table. What I need to accomplish is:
1. Query the index for all instances where the IP in the lookup table is found also in the index
2. Populate the lookup table column "Manager" with the field data found from the query above, in the appropriate row based on IP relationship

Hope somebody can help

Preview file
21 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎09-15-2017 05:22 AM 
| inputlookup yourlookuo
| join IP type=inner [ search index=yourindex Manager=* IP=* ]
| table HOSTNAME Manager IP SUBNET ... 
| outputlookup yourLookup

This will only get events from yourindex where Manager and IP fields exist, and join them to the lookup, only keeping events that join to the lookup's IP field.

You will need your field names to match on both sides so if the field is called ipAddr in yourindex, you will want to use '| rename ipAddr as IP' in the join.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎09-15-2017 05:22 AM 
| inputlookup yourlookuo
| join IP type=inner [ search index=yourindex Manager=* IP=* ]
| table HOSTNAME Manager IP SUBNET ... 
| outputlookup yourLookup

This will only get events from yourindex where Manager and IP fields exist, and join them to the lookup, only keeping events that join to the lookup's IP field.

You will need your field names to match on both sides so if the field is called ipAddr in yourindex, you will want to use '| rename ipAddr as IP' in the join.

0 Karma
Reply
Solved! Jump to solution

tlmayes
Contributor
‎09-15-2017 05:47 AM

One point I left out, not all IP's in the lookup table will match an IP in the index. For example, the lookup table has 1000 records, but only 40 matches between the two sources. Using this query, the lookup table is replaced with 40 matches, removing the 960 unmatched IP's. If I use "append=t", the matched records are ADDED to the list of 1000.

What I am hoping for is that the outcome is that I end up with the same 1000 entries in the lookup table, but with only 40 of them having an entry in the column "Manager". An update, not a replace or append.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎09-15-2017 05:57 AM

Ok change type=inner to type=outer.

0 Karma
Reply
Solved! Jump to solution

tlmayes
Contributor
‎09-15-2017 06:19 AM

That did it... Thanks very much

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...