How to combine the results of a query to matching ...

nikhilhanda · ‎05-07-2016

first search:
index=prod |table assetId,SIZE,FORMAT,_time,processingHint |where assetId!="null"|outputlookup assetId_format_time.csv

second search
index =prod host=* [| inputlookup assetId_format_time.csv | fields+ assetId] | table assetId,clientId,mime,UserClientId,FORMAT,SIZE,_time,processingHint

but in second search results only clientId,mime,UserClientId should be from second search, and assetId,FORMAT,SIZE,_time,processingHint should be from the inputlookup table.

sundareshr · ‎05-07-2016

Try the join command, like this

index =prod host=* | join assedId [| inputlookup assetId_format_time.csv ] | table assetId,clientId,mime,UserClientId,FORMAT,SIZE,_time,processingHint

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join

nikhilhanda · ‎05-08-2016

I have tried the join command but results are not which i require.
What i require is that clientId,mime,UserClientId should get appended to matching assetId values in the table assetId_format_time.csv the table contains 4 columns including assetId column. resulting into a table which has total of 7 columns.

Thanks

How to combine the results of a query to matching fields of a column of an inputlookup csv file?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio