Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create Splunk lookup query?

phularah
Communicator
‎08-09-2023 04:57 AM

I have a lookup test_lookup with 2 fields a1 and b1. The field a1 is common with the fields in the raw data.
the values of field a1 and b1 are as follows:
a1   a2 

a       1   

a        2

b        3

b        4

What would be the o/p of the command ....| lookup test_lookup a1 OUTPUT a2?

Labels (2)
Labels
Tags (1)
0 Karma
Reply

phularah
Communicator
‎08-09-2023 05:45 AM

hmm, I was asked this question in the Splunk interview today and was confused. So, the search would give an error or search won't work? 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-09-2023 06:07 AM

Hi @phularah,

usually you don't have any result in the OUTPUTTED fields when a key is duplicated, instead you should have the correlation for unique keys.

In your example youshuldn't have any value for a2 because a1 are both duplicated, if you have only one "c" value dor a1, you should have the related a2 value.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-09-2023 05:08 AM

Hi @phularah,

yes this is the correct syntax, but the problem is that you have more than one value for a1, so the lookup command doesn't know which value must be associated.

You should use a unique value field as key.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...