Splunk Search

How do I return lookup events only if they match certain field values?

Communicator

Hi, I have two lookup files below:

masterinventory.csv

type        make    model       year     storeID     keycode 
sedan      nissan   altima      2012      russell     1234    
sedan      dodge    wrangler    2005       jim        9999
coupe      toyota   scion       2012      russell     4321    
coupe      dodge    challenger  2008      russell     1111
hatchback  buick    regal       2017      billy       2222
van        KIA      optima      2010      elon        3333
truck      GMC      sierra      2012      elon        4444

russinventory.csv

make    model      year     storeID    price
nissan   altima     2012     russell    8500
toyota   scion      2012     russell    5000
dodge   challenger  2008     russell    4110

How do I use the model and year fields in russinventory.csv to display ONLY the events in masterinventory.csv that have matching values for those two fields? The result should display this from masterinventory.csv:

type        make    model       year     storeID     keycode 
sedan      nissan   altima      2012      russell     1234    
coupe      toyota   scion       2012      russell     4321    
coupe      dodge    challenger  2008      russell     1111

There is at least 1 field in each lookup file that is not in the other lookup file. That is intentional as it best reflects what the real data looks like

0 Karma
1 Solution

Influencer

|inputlookup masterinventory.csv | join type=inner model year[|inputlookup russinventory.csv]| table type make model year storeID keycode

View solution in original post

Influencer

|inputlookup masterinventory.csv | join type=inner model year[|inputlookup russinventory.csv]| table type make model year storeID keycode

View solution in original post

Communicator

@Vijeta This returned "No results found".

0 Karma

Communicator

Correction -- This does seem to work. There is an issue in my CSV where there's a weird number of spaces so I tested it out with other fields and it works. Thanks!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!