Splunk Search

How to add results of a lookup into a search?

TorbinIT
Path Finder

Hello!

I've got a search that I'm working on. I've been asked to integrate the results of a lookup table into that search.

The major problem is that the lookup file's data, while it shares common fields with the Splunk search, doesn't have the same dataset. The search and the lookup identify two different set of results.

Is there a way to simply add all the data in the lookup to the Splunk search so that when I run the search I see both data sets?

Labels (1)
Tags (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @TorbinIT,

in general you can add the lookup records to the search results only using the append command (https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Append) but the effectiveness of this approach depends on your datasets (both search and lookup), on the fields you have and on the values of the common fields.

Could you share your search, a sample of results and the fields and values of your lookup?

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @TorbinIT,

in general you can add the lookup records to the search results only using the append command (https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Append) but the effectiveness of this approach depends on your datasets (both search and lookup), on the fields you have and on the values of the common fields.

Could you share your search, a sample of results and the fields and values of your lookup?

Ciao.

Giuseppe

TorbinIT
Path Finder

I just forgot the Append command existed. Thank you! 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @TorbinIT,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...