Solved: How to add lookups that don't have matching fields...

sa_splunk · ‎03-05-2013

Let's say I have log entries as follows:

sourcetype-syslog: time, event_id, host

I want to be able to incorporate two tables that have the following data:

CITY_TABLE: host, city
STATE_TABLE: city, state

How would I be able to add CITY_TABLE and STATE_TABLE to splunk in order to obtain search results that will provide: time, event_id, host, city, state?

The problem I am having is I don't know how to get the STATE_TABLE into Splunk and to include it in my search. For example, when adding STATE_TABLE as a lookup, it asks what I field in STATE_TABLE maps to in the logs (ie we have the choice of using host, sourcetype, etc), but STATE_TABLE doesn't have those fields.

Ayn · ‎03-06-2013

Can't you just chain your lookups?

... | lookup CITY_TABLE host OUTPUT city | lookup STATE_TABLE city OUTPUT state

View solution in original post

Ayn · ‎03-06-2013

Can't you just chain your lookups?

... | lookup CITY_TABLE host OUTPUT city | lookup STATE_TABLE city OUTPUT state

sa_splunk · ‎03-06-2013

Thanks! This worked.

How to add lookups that don't have matching fields on the log entries

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?

How to add lookups that don't have matching fields on the log entries

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console