Splunk Search

How do I return lookup events only if they match certain field values?

russell120
Communicator

Hi, I have two lookup files below:

masterinventory.csv

type        make    model       year     storeID     keycode 
sedan      nissan   altima      2012      russell     1234    
sedan      dodge    wrangler    2005       jim        9999
coupe      toyota   scion       2012      russell     4321    
coupe      dodge    challenger  2008      russell     1111
hatchback  buick    regal       2017      billy       2222
van        KIA      optima      2010      elon        3333
truck      GMC      sierra      2012      elon        4444

russinventory.csv

make    model      year     storeID    price
nissan   altima     2012     russell    8500
toyota   scion      2012     russell    5000
dodge   challenger  2008     russell    4110

How do I use the model and year fields in russinventory.csv to display ONLY the events in masterinventory.csv that have matching values for those two fields? The result should display this from masterinventory.csv:

type        make    model       year     storeID     keycode 
sedan      nissan   altima      2012      russell     1234    
coupe      toyota   scion       2012      russell     4321    
coupe      dodge    challenger  2008      russell     1111

There is at least 1 field in each lookup file that is not in the other lookup file. That is intentional as it best reflects what the real data looks like

0 Karma
1 Solution

Vijeta
Influencer

|inputlookup masterinventory.csv | join type=inner model year[|inputlookup russinventory.csv]| table type make model year storeID keycode

View solution in original post

Vijeta
Influencer

|inputlookup masterinventory.csv | join type=inner model year[|inputlookup russinventory.csv]| table type make model year storeID keycode

russell120
Communicator

@Vijeta This returned "No results found".

0 Karma

russell120
Communicator

Correction -- This does seem to work. There is an issue in my CSV where there's a weird number of spaces so I tested it out with other fields and it works. Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...