Re: Need help with Splunk lookup query

phularah · ‎08-09-2023

I have a lookup test_lookup with 2 fields a1 and b1. The field a1 is common with the fields in the raw data.
the values of field a1 and b1 are as follows:
a1 a2

a 1

a 2

b 3

b 4

What would be the o/p of the command ....| lookup test_lookup a1 OUTPUT a2?

phularah · ‎08-09-2023

hmm, I was asked this question in the Splunk interview today and was confused. So, the search would give an error or search won't work?

gcusello · ‎08-09-2023

Hi @phularah,

usually you don't have any result in the OUTPUTTED fields when a key is duplicated, instead you should have the correlation for unique keys.

In your example youshuldn't have any value for a2 because a1 are both duplicated, if you have only one "c" value dor a1, you should have the related a2 value.

Ciao.

Giuseppe

gcusello · ‎08-09-2023

Hi @phularah,

yes this is the correct syntax, but the problem is that you have more than one value for a1, so the lookup command doesn't know which value must be associated.

You should use a unique value field as key.

Ciao.

Giuseppe

How to create Splunk lookup query?

lookup

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation