Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to combine information from 2 different sources like sourcetype=eea:loghandler and lookup file

silviuchiric76
New Member
‎01-29-2020 04:06 AM

Dear all

I have 2 data sources: logs forwared to the server as :
sourcetype=eea:loghandler
and lookup definition file as users_with_email

file
called users_with_email.csv

I have a key field in both sources the same:
in sourcetype=eea:loghandler is called user with values like firstname.lastname@domain.com
and in lookup definition file I have email field, same value firstname.lastname@domain.com
and this is the case for all users

I need to get an aggregated reports of users from

sourcetype=eea:loghandler by joining the department field from lookup definition file users_with_email(users_with_email.csv)

When I try to make an OR:
sourcetype=eea:loghandler OR inputlookup users_with_email
got no results

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-30-2020 06:34 AM

Hi @silviuchiric76,
you should try something like this:

sourcetype=eea:loghandler
| lookup users_with_email.csv email AS user OUTPUT department
| dedup user
| sort user
| table user department

A little hint: use always index in your searches to have faster results!

Ciao.
Giuseppe

0 Karma
Reply

silviuchiric76
New Member
‎01-29-2020 04:17 AM

I am interested for an inner join after email.users_with_email = eea:loghandler.user

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...