How to create Splunk lookup query?

phularah · ‎08-09-2023

I have a lookup test_lookup with 2 fields a1 and b1. The field a1 is common with the fields in the raw data.
the values of field a1 and b1 are as follows:
a1 a2

a 1

a 2

b 3

b 4

What would be the o/p of the command ....| lookup test_lookup a1 OUTPUT a2?

phularah · ‎08-09-2023

hmm, I was asked this question in the Splunk interview today and was confused. So, the search would give an error or search won't work?

gcusello · ‎08-09-2023

Hi @phularah,

usually you don't have any result in the OUTPUTTED fields when a key is duplicated, instead you should have the correlation for unique keys.

In your example youshuldn't have any value for a2 because a1 are both duplicated, if you have only one "c" value dor a1, you should have the related a2 value.

Ciao.

Giuseppe

gcusello · ‎08-09-2023

Hi @phularah,

yes this is the correct syntax, but the problem is that you have more than one value for a1, so the lookup command doesn't know which value must be associated.

You should use a unique value field as key.

Ciao.

Giuseppe

How to create Splunk lookup query?

lookup

stats

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

How to create Splunk lookup query?

lookup

stats

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk