Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add columns from lookup table file to main search

mzn1979
Explorer
‎09-19-2020 12:47 AM

Hi everyone

I do a search in Splunk and this is the results

NamePriceDate
apple235689/18/2020
apple233469/18/2020
apple226979/18/2020
apple209/18/2020
apple226749/19/2020
apple259879/19/2020
apple267969/19/2020
apple253419/19/2020

 

I have a lookuptable file named apple.csv which is comprised of these contents.

NameDateMax_PriceMin_Price
apple9/18/20202425022120
apple9/19/20202692024250

 

So I want to add the Max_Price and Min_Price to the main search something like this

NamePriceDateMax_PriceMin_Price
apple235689/18/20202425022120
apple233469/18/20202425022120
apple226979/18/20202425022120
apple209/18/20202425022120
apple226749/19/20202692024250
apple259879/19/20202692024250
apple267969/19/20202692024250
apple253419/19/20202692024250

 

and then I can determine the wrong result. I mean the following result is not acceptable to me and they're may be wrong or something else.

apple209/18/2020
apple226749/19/2020

 

Thanks in advance

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-19-2020 01:58 AM

Hi @mzn1979,

you have to run something like this:

your_search
| lookup apple.csv Name Date OUTPUT Max_Price Min_Price
| Table Name Price Date Max_Price Min_Price

so you can list all the items adding the two columns from the lookup.

Then, if you want to check the Price with Max and Min, you have to add an eval statement:

| eval check=if(Price>Min_price AND Price<MaxPrice, "OK","NOK")

so you can filter the results:

| where check="NOK"

to have only the ones with Price outside the Min-Max range.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-19-2020 01:58 AM

Hi @mzn1979,

you have to run something like this:

your_search
| lookup apple.csv Name Date OUTPUT Max_Price Min_Price
| Table Name Price Date Max_Price Min_Price

so you can list all the items adding the two columns from the lookup.

Then, if you want to check the Price with Max and Min, you have to add an eval statement:

| eval check=if(Price>Min_price AND Price<MaxPrice, "OK","NOK")

so you can filter the results:

| where check="NOK"

to have only the ones with Price outside the Min-Max range.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

mzn1979
Explorer
‎09-19-2020 02:35 AM

Thank you. That worked perfectly

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-19-2020 02:37 AM

Hi @mzn1979,

good.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...