How to combine lookup file with splunk query, stat...

san112491 · ‎10-05-2022

Static data with one common field app Name as splunk query.

gcusello · ‎10-06-2022

as @yuanliu said, you have to find the correlation key between main search and lookup: if the common fields have the same name you can use something like this:

<your_search>
| lookup your_lookup.csv common field

if instead the field name to correlate are different, you can use:

<your_search>
| lookup your_lookup.csv lookup_field AS main_search_field

For more infos I hint to read at https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Lookup

Ciao.

giuseppe

yuanliu · ‎10-05-2022

Not sure what the real question is. Assuming your static data is in the lookup file, you just define a lookup with that file, then use lookup, e.g.,

| lookup mylookup common_field

All other fields in mylookup will be populated according to match.

How to combine lookup file with splunk query, static data with live data

eval

stats

table

timechart

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation