Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to append a inputlookup table with a main table, in a desired order.

vinod743374
Communicator
‎02-15-2022 01:36 AM

I am looking for one requirement, can anyone please help us.

i want to append a inputlookup table to my main table with the same column names and field names.

Here is my main search results.

vinod743374_0-1644916656646.png

Here is my inputlookup results

vinod743374_1-1644916802771.png

Desired Output:

vinod743374_2-1644917711387.png

 



Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-15-2022 03:23 AM

Hi @vinod743374,

you have to extract an additional field from Compliant to use only for sorting, something like this:

index=your_index
| fields Compliance "Enabled Password"
| append [ | inputlookup your_lookup.csv | fields Compliance "Enabled Password" ]
| rex field=Compliance "(?<sort_date>\d\d\s\w\w\w)$"
| eval sort_date=strpdate(sort_date,"%d $b")
| sort sort_date
| table Compliance "Enabled Password"

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

vinod743374
Communicator
‎02-15-2022 05:06 AM

Mistyped the $ instead of % in the time format.
Now its Working Fine  I replaced the $ with %,

Thanks for the solution.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-15-2022 05:10 AM

Hi @vinod743374,

sorry for the error, good for you.

ciao and happy splunking.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

vinod743374
Communicator
‎02-15-2022 04:31 AM

strpdate is not working , i replaced with strptime, but it doesn't return any values in the sort_date field.
i sorted it without conversion,
its working but not exactly I want,

Thanks for the help.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-15-2022 04:47 AM

Hi @vinod743374,

sorry strptime!

it's strange, because it should transform the date in Compliance in an epochtime, maybe also the year is needed, please try this:

index=your_index
| fields Compliance "Enabled Password"
| append [ | inputlookup your_lookup.csv | fields Compliance "Enabled Password" ]
| rex field=Compliance "(?<sort_date>\d\d\s\w\w\w)$"
| eval sort_date=sort_date." ".strftime(now(),"%Y")
| eval sort_date=strptime(sort_date,"%d $b %Y")
| sort sort_date
| table Compliance "Enabled Password"

Ciao.

Giuseppe

Reply
Solved! Jump to solution

vinod743374
Communicator
‎02-15-2022 01:49 AM

yup I know the append will works,
But I need in a specific order like in the Desired output Image.

Is there any possibility to append after the same value.


0 Karma
Reply
Solved! Jump to solution

vinod743374
Communicator
‎02-15-2022 02:03 AM

I have already achieved this in a manual way,

I used a case function to give a number to every value(which order it should appear) of the Compliance field and sorted.

But I need in such a way that , no need of Adding the query for every latest data.

Any suggestion or Idea would be appreciated.

Thankyou.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-15-2022 03:23 AM

Hi @vinod743374,

you have to extract an additional field from Compliant to use only for sorting, something like this:

index=your_index
| fields Compliance "Enabled Password"
| append [ | inputlookup your_lookup.csv | fields Compliance "Enabled Password" ]
| rex field=Compliance "(?<sort_date>\d\d\s\w\w\w)$"
| eval sort_date=strpdate(sort_date,"%d $b")
| sort sort_date
| table Compliance "Enabled Password"

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-15-2022 01:41 AM

Hi @vinod743374,

you could use the append command, something like this:

I supposed that the enabled password is a field and not a count

index=your_index
| fields Compliance "Enabled Password"
| append [ | inputlookup your_lookup.csv | fields Compliance "Enabled Password" ]
| sort Compliance
| table Compliance "Enabled Password"

Ciao

Giuseppe

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...