Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help with lookup table

Abhineet
Loves-to-Learn Everything
‎03-23-2023 07:13 AM

Hi, 

looking for splunk query having field name similar to field in lookup file with respective value in lookup file.

query have field "index" value is same as lookup file field "CAPNSplunk" value.

if "index" field value matches with lookup file "CAPNSplunk" then "index" field value should get replaced with associated "RANSplunk" field value available in lookup file.

lookup file:

CAPNSplunk,RANSplunk
"Pricing","Pricing Outlier"

"Smart_Factory","Smart Factory BUCT"
"SMARTFACTORY_LOGISTICS","Smart Factory Logistics"
"SmartFactory_PM_Console","Smart Factory PM Console"
"GCW_Dashboard","Global Contingent Worker Dashboard"
"HRM_Spans_Layers","HRM - Spans & Layers"
"Unity_Portal-Part_Aggregation","Unity Portal"
"Blackbird_Dashboard","Blackbird"
"WWops","WWOps"
"AGS_metrology_AutoML","Metrology Auto ML Classification"
"Action_Plan_Tracker","IDCL"

 

index:

Pricing
Smart_Factory
SMARTFACTORY_LOGISTICS
SmartFactory_PM_Console
GCW_Dashboard
HRM_Spans_Layers
Unity_Portal-Part_Aggregation
Blackbird_Dashboard
WWops
AGS_metrology_AutoML

Action_Plan_Tracker

 

For example:

if "index" field value is "Pricing" then it should get replaced with "Pricing Outlier" after looking into lookup file.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-23-2023 10:02 AM

You could try this

| lookup lookupfile CAPNSplunk AS index OUTPUT index AS RANSplunk

Although, using field names such as index might cause issues as this is a system supplied field.

https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Lookup 

0 Karma
Reply

Abhineet
Loves-to-Learn Everything
‎03-23-2023 10:53 AM

renamed eval field "index" with "app" .

Getting below mentioned screenshot error.

Abhineet_0-1679593956452.png

 

Kindly suggest.

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-23-2023 12:09 PM

Sorry, I had the output fields the wrong way around, try it this way

| lookup AppName.csv CAPNSplunk AS app OUTPUT RANSplunk AS app
0 Karma
Reply

Abhineet
Loves-to-Learn Everything
‎03-24-2023 02:37 AM

Thanks for response, that's not my requirement.

this lookup query gives only app available in lookup file with replaced name.

app which is not available in lookup file should be as it is.

for example "ADKB" app is not available in lookup file it should come in output as it is.

lookup query should replace app name which is available in lookup file rest app name should be as it is.

Abhineet_0-1679650516054.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-24-2023 02:44 AM

Try this

| lookup AppName.csv CAPNSplunk AS app
| eval app=coalesce(RANSplunk,app)
0 Karma
Reply

Abhineet
Loves-to-Learn Everything
‎03-24-2023 06:29 AM

Thanks....

It's working as expected.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...