Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I return lookup events only if they match certain field values?

russell120
Communicator
‎10-02-2018 01:37 PM

Hi, I have two lookup files below:

masterinventory.csv

type        make    model       year     storeID     keycode 
sedan      nissan   altima      2012      russell     1234    
sedan      dodge    wrangler    2005       jim        9999
coupe      toyota   scion       2012      russell     4321    
coupe      dodge    challenger  2008      russell     1111
hatchback  buick    regal       2017      billy       2222
van        KIA      optima      2010      elon        3333
truck      GMC      sierra      2012      elon        4444

russinventory.csv

make    model      year     storeID    price
nissan   altima     2012     russell    8500
toyota   scion      2012     russell    5000
dodge   challenger  2008     russell    4110

How do I use the model and year fields in russinventory.csv to display ONLY the events in masterinventory.csv that have matching values for those two fields? The result should display this from masterinventory.csv:

type        make    model       year     storeID     keycode 
sedan      nissan   altima      2012      russell     1234    
coupe      toyota   scion       2012      russell     4321    
coupe      dodge    challenger  2008      russell     1111

There is at least 1 field in each lookup file that is not in the other lookup file. That is intentional as it best reflects what the real data looks like

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Vijeta
Influencer
‎10-02-2018 01:48 PM

|inputlookup masterinventory.csv | join type=inner model year[|inputlookup russinventory.csv]| table type make model year storeID keycode

View solution in original post

Reply
Solved! Jump to solution
Solution

Vijeta
Influencer
‎10-02-2018 01:48 PM

|inputlookup masterinventory.csv | join type=inner model year[|inputlookup russinventory.csv]| table type make model year storeID keycode

Reply
Solved! Jump to solution

russell120
Communicator
‎10-03-2018 06:50 AM

@Vijeta This returned "No results found".

0 Karma
Reply
Solved! Jump to solution

russell120
Communicator
‎10-03-2018 10:55 AM

Correction -- This does seem to work. There is an issue in my CSV where there's a weird number of spaces so I tested it out with other fields and it works. Thanks!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...