Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to correlate a field from a query to a field from a lookup file?

dionrivera
Communicator
‎04-04-2023 12:32 PM

Hello. I've been watching a few lookup videos but they mostly concentrate on extracting data from a lookup file. None of them are addressing a case where you have to correlate a field from a query to a field from a lookup file. Here is my example. I have a query (index=web username=mike) I would like to pull Mike's email from a emaillookup.csv file so that my final table result looks like below. 

 

username    email

mike               mike@yahoo.com

 

So far, I have tried index=web username=mike | lookup emaillookup.csv email OUTPUT username with no success

Labels (2)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎04-06-2023 12:57 PM

Like this:

index="web" AND username="mike"
| lookup emaillookup.csv nameFieldInLookupFIle AS username OUTPUT email

0 Karma
Reply

dionrivera
Communicator
‎04-07-2023 09:09 AM

Thank you. I figured out my problem.

On the query I was trying to use username=mike and trying to reference the name mike in my emaillookup.csv lookup table. However, the name in the lookup table was in the form of mike@my-site.com . I had to regex the "@my-site.com" from the name mike in order to reference mike.  Once I was referencing mike on both the query and the lookup table, I was able to pull the fields I needed. 

Thanks for both of your recommendations

0 Karma
Reply

woodcock
Esteemed Legend
‎04-07-2023 09:34 AM

You can create a lookup definition and use "WILDCARD(user)" and make it "mike*" and it will match either.

Reply

dionrivera
Communicator
‎04-12-2023 10:18 AM

So, if I had more than one user, could I use WILDCARD(user*)?

0 Karma
Reply

woodcock
Esteemed Legend
‎04-12-2023 10:26 AM

Any user that starts with "mike" would match.

0 Karma
Reply

tscroggins
Influencer
‎04-06-2023 10:24 AM

Hi,

Try swapping your input and output fields:

index=web username=mike | lookup emaillookup.csv username output email

The lookup command takes the form:

| lookup <lookup_name> <lookup_field_name> [as <event_field_name>] output <lookup_field_name_1> [as <event_field_name_1>] [<lookup_field_name_2> [as <event_field_name_2>] ...]

0 Karma
Reply
Get Updates on the Splunk Community!

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...