Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to append the field by matching two different data source

ninadbhaskarwar
Path Finder
‎06-20-2017 01:03 PM

I have one Source =”ABC.csv” and a lookup “a_alert”.

ABS.csv contains fields such as ID, Description (200 free character field)

a_alert contain one field a_type e.g. Monitoring, Access, Deployment

I need a query which can match Description from ABC.csv to a_type from a_alert and create the append a field in the ABC.csv
Final output should be

ID Description a_type
1 User having Access Issue Access
2 …. Monitoring ……. Monitoring
3 … product having successful deployment Deployment
4 Access Issue with .. type of Users Access
alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-20-2017 01:50 PM

Assuming the word in the lookup a_type (e.g. Access, Monitoring etc) contained in the Description field in your data from source=ABC.csv, you would need to setup a lookup table with wildcard.

Everything on Search Head, will need to restart Splunk after config change.
Step1: Update your lookup table a_alert to include wildcard characters.

a_type   ---this is the header
*Access*
*Monitoring*
*Deployment*
...

Step2: (assuming lookup table a_alert.csv is already uploaded as lookup) Create a lookup transform with wild card mat
transforms.conf on any app/local directory in $Splunk_home/etc/apps

[alert_lookup]
 filename = a_alert.csv
 match_type = WILDCARD(a_type)

Step 2: add lookup command to your search

your base search giving field ID Description
| lookup alert_lookup a_alert as Description OUTPUT a_type

Reference:
https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html

View solution in original post

Reply
Solved! Jump to solution

ninadbhaskarwar
Path Finder
‎06-21-2017 10:50 AM

Both of above worked for me, only change I did for solution provided by @somesoni2 i.e.

your base search giving field ID Description
|lookup alert_lookup a_type as Description OUTPUT a_type

instead of a_alert I have used a_type which is given by @woodcock .Also I have used regex from @woodcock

Thanks to @somesoni2 and @woodcock for providing quick solution

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-20-2017 05:09 PM

You have a source of ABC.csv that looks like this:

ID (integer), Description (200 free character field)

You have a lookup called a_alert that contains one field like this:

a_type
Monitoring
Access
Deployment

You need a query which can match Description from ABC.csv to a_type from a_alert and create/append a_field so that the final output is like this:

ID    a_type        Description
1     Access        User having Access Issue
2     Monitoring    …. Monitoring …….
3     Deployment    … product having successful deployment
4     Access        Access Issue with .. type of Users

You need to change your a_alert lookup to a wildcard (and possibly case_insensitive, if you'd like that, too); there is a special setting in transforms.conf to enable this. Then add bounding asterisks by doing this ONLY ONCE:

| inputlookup a_alert | eval a_type = "*" . a_type . "*" | outputlookup a_alert

Now you have this:

a_type
*Monitoring*
*Access*
*Deployment*

Finally, you do your search like this:

| inputcsv ABC.csv
| lookup a_alert a_type AS Description OUTPUT a_type
| rex field=a_type mode=sed "s/^\*// s/\*$//"
| table ID a_type Description
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-20-2017 01:50 PM

Assuming the word in the lookup a_type (e.g. Access, Monitoring etc) contained in the Description field in your data from source=ABC.csv, you would need to setup a lookup table with wildcard.

Everything on Search Head, will need to restart Splunk after config change.
Step1: Update your lookup table a_alert to include wildcard characters.

a_type   ---this is the header
*Access*
*Monitoring*
*Deployment*
...

Step2: (assuming lookup table a_alert.csv is already uploaded as lookup) Create a lookup transform with wild card mat
transforms.conf on any app/local directory in $Splunk_home/etc/apps

[alert_lookup]
 filename = a_alert.csv
 match_type = WILDCARD(a_type)

Step 2: add lookup command to your search

your base search giving field ID Description
| lookup alert_lookup a_alert as Description OUTPUT a_type

Reference:
https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html

Reply
Solved! Jump to solution

ninadbhaskarwar
Path Finder
‎06-21-2017 01:41 PM

Can you please help me to make this case insensitive

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-21-2017 01:48 PM

Add this to your lookup definition in transforms.conf (under [alert_lookup])

case_sensitive_match = false
0 Karma
Reply
Solved! Jump to solution

ninadbhaskarwar
Path Finder
‎06-21-2017 09:21 PM

Thanks it worked

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...