Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a search with 2 columns in lookup?

ejulien
Engager
‎01-26-2021 12:58 PM

I would like to do a search using 2 columns in a lookup table where the row is AND'd.  Something like

Col1 Col2
A 1
B 2
C 3
D 4

 

where the search would be equivalent to

index=myindex (Col1=A AND Col2=1) OR (Col1=B AND Col2=2) OR (Col1=C AND Col2=3) OR (Col1=D AND Col2=4)
Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎01-26-2021 01:16 PM

@ejulien 

Try this

index=myindex [ | inputlookup yourlookup.csv | table Col1 Col2 ]

You can see the effect of the subsearch by running just this command

| inputlookup yourlookup.csv | table Col1 Col2 | format

Hope this helps

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎01-26-2021 01:16 PM

@ejulien 

Try this

index=myindex [ | inputlookup yourlookup.csv | table Col1 Col2 ]

You can see the effect of the subsearch by running just this command

| inputlookup yourlookup.csv | table Col1 Col2 | format

Hope this helps

 

0 Karma
Reply
Solved! Jump to solution

ejulien
Engager
‎01-26-2021 03:31 PM

@bowesmana thanks.  It looks like it works.

I was getting some errors with this answer initially, but it was because my actual search has a rex statement right before the inputlookup line.  I found the putting a "| search *" between the two fixed the error.

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...