Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a search with 2 columns in lookup?

ejulien
Engager
‎01-26-2021 12:58 PM

I would like to do a search using 2 columns in a lookup table where the row is AND'd.  Something like

Col1 Col2
A 1
B 2
C 3
D 4

 

where the search would be equivalent to

index=myindex (Col1=A AND Col2=1) OR (Col1=B AND Col2=2) OR (Col1=C AND Col2=3) OR (Col1=D AND Col2=4)
Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎01-26-2021 01:16 PM

@ejulien 

Try this

index=myindex [ | inputlookup yourlookup.csv | table Col1 Col2 ]

You can see the effect of the subsearch by running just this command

| inputlookup yourlookup.csv | table Col1 Col2 | format

Hope this helps

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎01-26-2021 01:16 PM

@ejulien 

Try this

index=myindex [ | inputlookup yourlookup.csv | table Col1 Col2 ]

You can see the effect of the subsearch by running just this command

| inputlookup yourlookup.csv | table Col1 Col2 | format

Hope this helps

 

0 Karma
Reply
Solved! Jump to solution

ejulien
Engager
‎01-26-2021 03:31 PM

@bowesmana thanks.  It looks like it works.

I was getting some errors with this answer initially, but it was because my actual search has a rex statement right before the inputlookup line.  I found the putting a "| search *" between the two fixed the error.

Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...