Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I write a search that can match a word from two different lookup files?

satyaallaparthi
Communicator
‎05-08-2023 06:53 AM

Hello, 

 

I have 2 different files names lookup1.csv and lookup2.csv, which have column A and column B in both. 

 

How can we merge two files using a single word in Column A in both files with a sentence in it?

lookup1: Column A: "I am good" 

lookup2: Column A: "I am bad" 

I want to combine both the files using a word "I am" in this case.

 

Any help would be appreciated.

 

 

Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎05-08-2023 11:21 PM

Can you explain what is the desired output?  In other words, what does "match" mean in this context?  Is this entire exercise between two lookups or will it involve event data?

0 Karma
Reply

satyaallaparthi
Communicator
‎05-09-2023 05:40 AM

Hi, 

    Entire output will be in between two lookups. 

desired output: if there is a word match in between Column A of two files, then I want to display “yes” in a new Column called Matching_word and “no” if there is no word match. 

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎05-10-2023 01:32 AM

Splunk may not be the best tool for this task because SPL doesn't have a builtin definition of "word".  If I take space as word boundary, you can do something like

| inputlookup lookup1
| eval lookup = lookup1
| append 
    [ | inputlookup lookup2
    | eval lookup = lookup2]
| eval ColumnA = split(ColumnA, " ") ``` assume space is the only word boundary ```
| stats dc(lookup) as sources by ColumnA
| stats max(sources) as match
| eval match = if(match > 1, "yes", "no")

dc is the basic idea.  You can improve/enhance word detection.  But there is a limit to what you can do before it becomes labor.

Hope this helps.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...