Splunk Search

How to append a inputlookup table with a main table, in a desired order.

vinod743374
Communicator

I am looking for one requirement, can anyone please help us.

i want to append a inputlookup table to my main table with the same column names and field names.

Here is my main search results.

vinod743374_0-1644916656646.png

Here is my inputlookup results

vinod743374_1-1644916802771.png

Desired Output:

vinod743374_2-1644917711387.png

 



Labels (4)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @vinod743374,

you have to extract an additional field from Compliant to use only for sorting, something like this:

index=your_index
| fields Compliance "Enabled Password"
| append [ | inputlookup your_lookup.csv | fields Compliance "Enabled Password" ]
| rex field=Compliance "(?<sort_date>\d\d\s\w\w\w)$"
| eval sort_date=strpdate(sort_date,"%d $b")
| sort sort_date
| table Compliance "Enabled Password"

Ciao.

Giuseppe

View solution in original post

vinod743374
Communicator

Mistyped the $ instead of % in the time format.
Now its Working Fine  I replaced the $ with %,

Thanks for the solution.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vinod743374,

sorry for the error, good for you.

ciao and happy splunking.

Giuseppe

0 Karma

vinod743374
Communicator

strpdate is not working , i replaced with strptime, but it doesn't return any values in the sort_date field.
i sorted it without conversion,
its working but not exactly I want,

Thanks for the help.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vinod743374,

sorry strptime!

it's strange, because it should transform the date in Compliance in an epochtime, maybe also the year is needed, please try this:

index=your_index
| fields Compliance "Enabled Password"
| append [ | inputlookup your_lookup.csv | fields Compliance "Enabled Password" ]
| rex field=Compliance "(?<sort_date>\d\d\s\w\w\w)$"
| eval sort_date=sort_date." ".strftime(now(),"%Y")
| eval sort_date=strptime(sort_date,"%d $b %Y")
| sort sort_date
| table Compliance "Enabled Password"

Ciao.

Giuseppe

vinod743374
Communicator

yup I know the append will works,
But I need in a specific order like in the Desired output Image.

Is there any possibility to append after the same value.


0 Karma

vinod743374
Communicator

I have already achieved this in a manual way,

I used a case function to give a number to every value(which order it should appear) of the Compliance field and sorted.

But I need in such a way that , no need of Adding the query for every latest data.

Any suggestion or Idea would be appreciated.

Thankyou.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vinod743374,

you have to extract an additional field from Compliant to use only for sorting, something like this:

index=your_index
| fields Compliance "Enabled Password"
| append [ | inputlookup your_lookup.csv | fields Compliance "Enabled Password" ]
| rex field=Compliance "(?<sort_date>\d\d\s\w\w\w)$"
| eval sort_date=strpdate(sort_date,"%d $b")
| sort sort_date
| table Compliance "Enabled Password"

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @vinod743374,

you could use the append command, something like this:

I supposed that the enabled password is a field and not a count

index=your_index
| fields Compliance "Enabled Password"
| append [ | inputlookup your_lookup.csv | fields Compliance "Enabled Password" ]
| sort Compliance
| table Compliance "Enabled Password"

Ciao

Giuseppe

 

 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...