Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I return lookup events only if they match certain field values?

russell120
Communicator
‎10-02-2018 01:37 PM

Hi, I have two lookup files below:

masterinventory.csv

type        make    model       year     storeID     keycode 
sedan      nissan   altima      2012      russell     1234    
sedan      dodge    wrangler    2005       jim        9999
coupe      toyota   scion       2012      russell     4321    
coupe      dodge    challenger  2008      russell     1111
hatchback  buick    regal       2017      billy       2222
van        KIA      optima      2010      elon        3333
truck      GMC      sierra      2012      elon        4444

russinventory.csv

make    model      year     storeID    price
nissan   altima     2012     russell    8500
toyota   scion      2012     russell    5000
dodge   challenger  2008     russell    4110

How do I use the model and year fields in russinventory.csv to display ONLY the events in masterinventory.csv that have matching values for those two fields? The result should display this from masterinventory.csv:

type        make    model       year     storeID     keycode 
sedan      nissan   altima      2012      russell     1234    
coupe      toyota   scion       2012      russell     4321    
coupe      dodge    challenger  2008      russell     1111

There is at least 1 field in each lookup file that is not in the other lookup file. That is intentional as it best reflects what the real data looks like

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Vijeta
Influencer
‎10-02-2018 01:48 PM

|inputlookup masterinventory.csv | join type=inner model year[|inputlookup russinventory.csv]| table type make model year storeID keycode

View solution in original post

Reply
Solved! Jump to solution
Solution

Vijeta
Influencer
‎10-02-2018 01:48 PM

|inputlookup masterinventory.csv | join type=inner model year[|inputlookup russinventory.csv]| table type make model year storeID keycode

Reply
Solved! Jump to solution

russell120
Communicator
‎10-03-2018 06:50 AM

@Vijeta This returned "No results found".

0 Karma
Reply
Solved! Jump to solution

russell120
Communicator
‎10-03-2018 10:55 AM

Correction -- This does seem to work. There is an issue in my CSV where there's a weird number of spaces so I tested it out with other fields and it works. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...