I'm relatively new to Splunk and I'm trying to use an existing lookup table to append columns to a search where the field name in the lookup table is not the same field name from the output of the search. i.e.
index=ti-p_tcr_reporter* source=tcr_reporter* earliest=-2d@d latest=-1d@d BOA_TICKETNUMBER="INC*"
| stats count as Incidents by BOA_AIT
| eval AppID=BOA_AIT
| appendcols [inputlookup tcr_ait-info
| fields AppID, AppFullName, AppStatus]
So BOA_AIT is the fieldname from the originating search that I want to lookup the value of which in tcr_ait-info table where the corresponding fieldname is AppID. Then, I want to append the columns AppFullName & AppStatus that correspond to the appropriate field BOA_AIT/AppID.
I'm probably miles off above but any assistance would be greatly appreciated.
Hello!
Have you checked out this link yet?
http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Lookup
The lookup command does (I believe) what you're trying to do with appeldcols! They've got some info in there on using the "OUTPUTNEW" command where you can essentially tell Splunk "okay, the field in the lookup file is going to be named X, but the field in my search calls it Y."
Something you may want to consider is if your "eval AppID=BOA_AIT" pipe is necessary. Being able to tell Splunk field names in a search and a lookup table are named different but are the same might actually eliminate the need for that command. Does that answer your question or did that just bring up more questions? If you need more help with the lookup command syntax, there's a pretty cool post here:
https://answers.splunk.com/answers/588630/understanding-the-lookup-command.html
~James M
Hello!
Have you checked out this link yet?
http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Lookup
The lookup command does (I believe) what you're trying to do with appeldcols! They've got some info in there on using the "OUTPUTNEW" command where you can essentially tell Splunk "okay, the field in the lookup file is going to be named X, but the field in my search calls it Y."
Something you may want to consider is if your "eval AppID=BOA_AIT" pipe is necessary. Being able to tell Splunk field names in a search and a lookup table are named different but are the same might actually eliminate the need for that command. Does that answer your question or did that just bring up more questions? If you need more help with the lookup command syntax, there's a pretty cool post here:
https://answers.splunk.com/answers/588630/understanding-the-lookup-command.html
~James M
Thanks James for the rapid response and the pointers to the lookup for beginners post which certainly helped.
My search now looks like: -
index=ti-p_tcr_reporter* source=tcr_reporter* earliest=-2d@d latest=-1d@d BOA_TICKETNUMBER="INC*"
| stats count as Incidents by BOA_AIT | lookup tcr_ait-info AppID as BOA_AIT OUTPUTNEW AppID, AppFullName, AppStatus
However I am currently unable to verify that this is working as desired as I think there is an issue with the Splunk instance where the lookup table tcr_ait-info resides i.e. even | inputlookup tcr_ait-info is no longer pulling back data.
Once I've had a chance to verify the new search I'll accept your answer.
Thanks again!
Verified new command; answer accepted.
Awesome, glad I could be of some help!
Something you may want to consider with your index/source specifications - the wildcard (*) can be fairly expensive depending on how many events you're looking at, so it might be worth investing some time to figure out if you're always going to be checking for events in a specific set of indexes with certain sources. Cheers!
~James M