Splunk Search

How do I append columns to a search via inputlookup where the field names do not match?

jguthrie71
Explorer

I'm relatively new to Splunk and I'm trying to use an existing lookup table to append columns to a search where the field name in the lookup table is not the same field name from the output of the search. i.e.

index=ti-p_tcr_reporter* source=tcr_reporter* earliest=-2d@d latest=-1d@d BOA_TICKETNUMBER="INC*" 
| stats count as Incidents by BOA_AIT 
| eval AppID=BOA_AIT 
| appendcols [inputlookup tcr_ait-info 
| fields AppID, AppFullName, AppStatus]

So BOA_AIT is the fieldname from the originating search that I want to lookup the value of which in tcr_ait-info table where the corresponding fieldname is AppID. Then, I want to append the columns AppFullName & AppStatus that correspond to the appropriate field BOA_AIT/AppID.

I'm probably miles off above but any assistance would be greatly appreciated.

0 Karma
1 Solution

jamesmoriarty
Explorer

Hello!

Have you checked out this link yet?

http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Lookup

The lookup command does (I believe) what you're trying to do with appeldcols! They've got some info in there on using the "OUTPUTNEW" command where you can essentially tell Splunk "okay, the field in the lookup file is going to be named X, but the field in my search calls it Y."

Something you may want to consider is if your "eval AppID=BOA_AIT" pipe is necessary. Being able to tell Splunk field names in a search and a lookup table are named different but are the same might actually eliminate the need for that command. Does that answer your question or did that just bring up more questions? If you need more help with the lookup command syntax, there's a pretty cool post here:

https://answers.splunk.com/answers/588630/understanding-the-lookup-command.html

~James M

View solution in original post

jamesmoriarty
Explorer

Hello!

Have you checked out this link yet?

http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Lookup

The lookup command does (I believe) what you're trying to do with appeldcols! They've got some info in there on using the "OUTPUTNEW" command where you can essentially tell Splunk "okay, the field in the lookup file is going to be named X, but the field in my search calls it Y."

Something you may want to consider is if your "eval AppID=BOA_AIT" pipe is necessary. Being able to tell Splunk field names in a search and a lookup table are named different but are the same might actually eliminate the need for that command. Does that answer your question or did that just bring up more questions? If you need more help with the lookup command syntax, there's a pretty cool post here:

https://answers.splunk.com/answers/588630/understanding-the-lookup-command.html

~James M

jguthrie71
Explorer

Thanks James for the rapid response and the pointers to the lookup for beginners post which certainly helped.
My search now looks like: -
index=ti-p_tcr_reporter* source=tcr_reporter* earliest=-2d@d latest=-1d@d BOA_TICKETNUMBER="INC*"
| stats count as Incidents by BOA_AIT | lookup tcr_ait-info AppID as BOA_AIT OUTPUTNEW AppID, AppFullName, AppStatus

However I am currently unable to verify that this is working as desired as I think there is an issue with the Splunk instance where the lookup table tcr_ait-info resides i.e. even | inputlookup tcr_ait-info is no longer pulling back data.

Once I've had a chance to verify the new search I'll accept your answer.

Thanks again!

jguthrie71
Explorer

Verified new command; answer accepted.

0 Karma

jamesmoriarty
Explorer

Awesome, glad I could be of some help!

Something you may want to consider with your index/source specifications - the wildcard (*) can be fairly expensive depending on how many events you're looking at, so it might be worth investing some time to figure out if you're always going to be checking for events in a specific set of indexes with certain sources. Cheers!

~James M

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...